SeaFlower Backdoor Targets Web3 Wallet Seed-Phrases

One of the core differences between Web3 and the Web 2.0 world is the fact that currency is central to the workflows. Tokens either directly represent digital currency, in the case of holding BTC in a wallet, or tokens like SOL and ETH may serve the dual purpose of being a speculative currency and being the payment mechanism for accessing utility from software and services built on the Solana and Ethereum blockchains. This intrinsic value creates motivation for bad actors to target points within the blockchain networks where value is concentrated.

I’ve written in the past about the security risks around bridges, which require developers to park currency as a way to move data between blockchains. Earlier this year, Confiant, a security firm that protects against bad actors in online advertising, uncovered a set of malicious activities it has labeled “SeaFlower,” that target Web3 wallet users.

According to a blog post by Taha Karim (aka @lordx64), Confiant’s Director of Threat Intelligence, the impacted wallets include iOS and Android versions of Coinbase Wallet, MetaMask, TokenPocket, and imToken. If you downloaded any of these wallets from the original developer, they are perfectly safe to use. SeaFlower is distributing compromised versions of the wallets.

What Is SeaFlower?

In Karim’s blog post, he says, “SeaFlower is a cluster of activity that we identified earlier this year in March 2022. We believe SeaFlower is the most technically sophisticated threat targeting web3 users, right after the infamous Lazarus Group.”

Confiant’s detective work discovered that SeaFlower does not modify wallet functionality in any way, but instead adds code that ultimately allows for acquiring the wallet seed phrase, which will likely result in compromised users losing any funds stored in their wallet.

User acquisition works similarly to other types of phishing attacks. SeaFlower is running ad campaigns on popular search engines with destination websites that are similar to the real company being spoofed. If you click a download button on one of those sites, you’re redirected to the fake version of the Web3 wallet app. Once the fake version is installed and you add funds, you’re compromised.

How Did Confiant Identify the Compromised Wallet Attack?

Most of the attacks targeting Web3 seed phrases are of the phishing variety, like this one Confiant highlighted back in February.

We detected a seed-phrase phishing website targeting @PegaxyOfficial !
the fake website is hosted at pegaxygame[.]com , it is a clone of the real website https://t.co/Qh8pNKbdQt . When the users tries to connect their wallet, a fake Metamask popup is shown asking for seed phrase pic.twitter.com/sDpceONVih

— ConfiantIntel (@ConfiantIntel) February 18, 2022

The SeaFlower attack is considerably more sophisticated in that the attackers reverse engineered the actual Web3 wallet software, modified the software, and then released a new version. They also fully clone the legitimate websites of the wallet software companies, which means you need to be both cautious and savvy not to get tricked.

The iOS attack uses a provisioning profile to get around needing app store approval. This results in the attacker being able to remotely manage the compromised device. In general, requesting remote management should be a huge red flag.

Detective work like this is possible in part due to the U.S. National Security Agency (NSA) providing tools like Ghidra for the purpose of software reverse engineering, which @lordx64 explicitly thanks.

Oh before i forget I want give a shoutout to @NSAGov for the #ghidra tool and the arm64 decompiler without this tool this research would’ve taken way more time tbh 💯

— bored taha (@lordx64) June 13, 2022

Karim goes into great detail in the post on the attack, including how the React Native MetaMask app was compromised. The initial backdoor is found in the MetaMask main.jsbundle. According to Karim, “This conditional backdoor code will execute anytime writeFile() is called on a file whose path contains “persist-root”. If we look at where this file is located using a real iPhone, it is stored within the MetaMask app container, it is a configuration file, containing the seed phrase encrypted amongst other runtime configuration data.”

A network request takes place immediately after the seed phrase is generated, which likely means the wallet is compromised from the very first use.

Based on Confiant’s reporting on SeaFlower, targeted users appear to be in countries where Chinese is the primary written language. That’s not to say a copycat couldn’t try a similar approach elsewhere or that there aren’t already similar bad actors operating in other markets. The Windows software market certainly sees its share of alternate versions of commercial software with malware payloads inside. The key thing to keep in mind when downloading Web3 wallets is to make sure that you are acquiring them from the original developer and not some kind of proxy site.

Be sure to give the full blog post a read — there’s a ton to learn about how this type of attack is possible. It’s also worth taking a look at Confiant’s matrix of online threat analysis, which includes a broad spectrum of threats, including some of the newer cases impacting Web3.