Ledger Live Crypto Wallet Attack

• Overview
  • Sample
  • References
  • Analysis
    • C2
    • Wallet Attack
  • Delivery

Overview

This is a unique looking crypto stealer that appears to have been built custom to target a hardware wallet.

Sample

• 3333e2846173468a7bf9dc859e2a0418a4bf1a2840802b397463fce5398fb6d3 UnpacMe

References

• Ledger Live is your one-stop shop to buy crypto, grow your assets, and manage NFTs. Join 6+ million people who trust Ledger for everything web3.

Analysis

• Sample is .NET
• The sample name is Ledger Lives.exe which is possibly an attempt to mimic the wallet
• The following PDB path is used C:\Users\Kernel32\source\repos\Ledger Lives\Ledger Lives\obj\Release\Ledger Lives.pdb
• Persistence via the runkey "Software\\Microsoft\\Windows\\CurrentVersion\\Run using the name Realter HD Audio
• Can take screenshot (saved to screen.png) -- currently unused
• There is no mechanism to prevent multiple versions of the malware from running (no mutex)

C2

• 94.142.138.148 port 8080

Wallet Attack

• Uses a process watch thread to identify when the process Ledger Live is launched
• The real Ledger process is killed and a message box indicating an error is popped up Firmware verification error, emergency restart

• The App uses a fake Live Ledger recover screen to trick the user into plugging in their wallet USB (not required for the attack)
• The following WMI query is used to wait for the USB to be plugged in SELECT * FROM __InstanceCreationEvent WITHIN 2 WHERE TargetInstance ISA 'Win32_PnPEntity'
  • This does not require a Live Ledger USB to be connected, any USB will trigger the query
• Once the USB is attached the app tricks the user into entering their secret recovery phrase

• This is then sent to the C2

Delivery

According to UnpacMe SourceIntel the sample was downloaded from a (likely compromised) WordPress directory https://whitecatcorn.com/wp-content/themes/valerielite/13.exe. According to OSINT from URLHaus LummaStealer was also downloaded from the same WordPress directory https://whitecatcorn.com/wp-content/themes/valerielite/updates_installer.exe hash 9648c6034468d7ee150c2b9b2ce088c14793e1ddf235d596ce14ef754e7d1e9f.

It is possible that that LummaStealer operator observed evidence of Live Ledger on a victim and then deployed this targeted Live Ledger Stealer. The stealer shows signs of hasty development (spelling errors, unimplemented features, lack of error checking, etc.). This coupled with the the lack of a mutex suggest that the malware was developed for a specific use case, and possibly a specific target.