A malicious company named Lone Used compromised accounts related to customer connections management tools (CRM) and voluminous e -mail providers to send spam messages containing seed phrases of cryptocurrencies in an attempt to drain digital purses.
“Main spam recipients are focused on the attack of the poisoning of cryptocurrency,” “Silent impetus” – Note In the analysis. “As part of the attack, Poisonseed provides seed security phrases to force potential victims to copy and insert them into new cryptocurrencies for future compromises.”
Pruousrance goals include entrepreneurial organizations and non -cryptocurrencies. Crypto -Company, such as Coinbase and Ledger, and Volumed Email Suppliers, such as MailChimp, Sendgrid, Hubpot, Mailgun and Zoho, are some of the target crypts.
Activities are estimated as different from two poorly aligned threatening subjects Scattered spider and Kryptahameleonwhich are part of a wider cybercrime ecosystem called Com. Some aspects of the company were previously discovered by a security researcher Troy Hunt and A crowning computer Last month.
Attacks include threats that set Phishing Pages for outstanding e -mail aimed at cheating high cost in providing their powers. After receiving the credentials, the opponents continue to create the API key to ensure perseverance, even if the stolen password is dropped by the owners.
In the next step, the operators export the mailing lists, probably using an automated tool and send spam from broken accounts. Posts of spam supply networks after CRM Compromite inform users that they need to set up a new Coinbase wallet using a seed phrase in email.
The ultimate goal of the attacks is to use the same recovery phrase to kidnap and transfer funds from these wallets. The references to the scattered spider and cryptochameleon follow from the use of the domain (“MailChimp -So (.) Com”), which was previously identified as former as well as historical targeting crymeleon kainbaz and glaciers.
What is said, phishing –T Used Poisonseed, does not share any resemblance to those used by two other threat clusters, which causes it to be either a brand new phishing with cryptochameleon, or this is another threat actor that just uses a similar shopping card.
Development occurs when a Russian -speaking actor threats is observed using phishing pages located on cloudflare.dev and workters.Dev to provide malware that can remotely control the infected Windows hosts. A preliminary iteration It was found that the company also disseminated the theft of the theft.
“This recent company uses phishing pages with phishing cloudflare, thematic around DMCA (copyright law Digital Millennium) – Note.
“The bait is abusing MS search protocol To download the malicious LNK file, disguised in PDF through double extension. After executing the malicious programs are checked by an attacker working on a telegram raising the victim’s IP address before the transition to the transition Pyramid C2 to manage the infected host. “
