A malicious campaign dubbed PoisonSeed is leveraging compromised credentials associated with customer relationship management (CRM) tools and bulk email providers to send spam messages containing cryptocurrency seed phrases in an attempt to drain victims’ digital wallets.
“Recipients of the bulk spam are targeted with a cryptocurrency seed phrase poisoning attack,” Silent Push said in an analysis. “As part of the attack, PoisonSeed provides security seed phrases to get potential victims to copy and paste them into new cryptocurrency wallets for future compromising.”
Targets of PoisonSeed include enterprise organizations and individuals outside the cryptocurrency industry. Crypto companies like Coinbase and Ledger, and bulk email providers such as Mailchimp, SendGrid, Hubspot, Mailgun, and Zoho are among the targeted crypto companies.
The activity is assessed to be distinct from two loosely aligned threat actors Scattered Spider and CryptoChameleon, which are both part of a broader cybercrime ecosystem called The Com. Some aspects of the campaign were previously disclosed by security researcher Troy Hunt and Bleeping Computer last month.
The attacks involve the threat actors setting up lookalike phishing pages for prominent CRM and bulk email companies, aiming to trick high-value targets into providing their credentials. Once the credentials are obtained, the adversaries proceed to create an API key to ensure persistence even if the stolen password is reset by its owner.
In the next phase, the operators export mailing lists likely using an automated tool and send spam from those compromised accounts. The post-CRM-compromise supply chain spam messages inform users that they need to set up a new Coinbase Wallet using the seed phrase embedded in the email.
The end goal of the attacks is to use the same recovery phrase to hijack the accounts and transfer funds from those wallets. The links to Scattered Spider and CryptoChameleon stem from the use of a domain (“mailchimp-sso[.]com”) that has been previously identified as used by the former, as well as CryptoChameleon’s historical targeting of Coinbase and Ledger.
That said, the phishing kit used by PoisonSeed does not share any similarity with those used by the other two threat clusters, raising the possibility that it’s either a brand new phishing kit from CryptoChameleon or it’s a different threat actor that just happens to use similar tradecraft.
The development comes as a Russian-speaking threat actor has been observed using phishing pages hosted on Cloudflare Pages.Dev and Workers.Dev to deliver malware that can remotely control infected Windows hosts. A previous iteration of the campaign was found to have also distributed the StealC information stealer.
“This recent campaign leverages Cloudflare-branded phishing pages themed around DMCA (Digital Millennium Copyright Act) takedown notices served across multiple domains,” Hunt.io said.
“The lure abuses the ms-search protocol to download a malicious LNK file disguised as a PDF via a double extension. Once executed, the malware checks in with an attacker-operated Telegram bot-sending the victim’s IP address-before transitioning to Pyramid C2 to control the infected host.”
