Criminals are mailing altered Ledger devices to steal cryptocurrency: looks added USB flash card is from Intenso
Posted by jpluimers on 2021/06/28
Last week, Bleeping Computer write about [Wayback] Criminals are mailing altered Ledger devices to steal cryptocurrency:
Scammers are sending fake replacement devices to Ledger customers exposed in a recent data breach that are used to steal cryptocurrency wallets.
The fake Ledger hardware wallet has a piggy back USB flash device on it (image from Mike):
[Archive.is] _MG_ on Twitter: “Malicious hardware implant in the wild! I helped @LawrenceAbrams dig into this. It’s a hardware wallet with a malicious implant added. It’s being mailed to targets. Read about it here: “
This week, Jilles opened up a bunch of USB flash devices to compare them with the pictures of the fake Ledger hardware wallet, where Mike noted that likely an Intenso device. It all started with a compliment
- [Archive.is] Jilles on Twitter: “Wow, I feel exposed. I have used the exact same hardware on a totally different device for a crafted implant on a red team assignment. Nearly undetectable for an unaware users. Kudos for the analyses @_MG_ !… “
- [Archive.is] Jilles on Twitter: “I am (very) familiar with @_MG_’s amazing work. I love how he got back on certain people stealing ideas, how he enables people soldering their own kits, how his wife was part of the production line, how he kept improving functionality and the collaboration with @hak5darren.… “
- [Archive.is] Jilles on Twitter: “got it… “
- [Archive.is] _MG_ on Twitter: “Nice. That “Intenso” is a dead match. The one I cracked open for the video on Hak5 was just the closest thing I could find on Amazon with next day delivery.… “
I reacted that earlier this year, I had an Intenso device die that was the boot stick for an ESXi server which after booting (once in months at most) only does read-only access to it. If I find it back (I might have ditched it), I will open it up and post pictures.
[Wayback] Jeroen Wiert Pluimers on Twitter: “Note I had one of these Intenso sticks die in an ESXi server: it was just the boot stick, so no writes at all. “
Anyway, this was the one that died (maybe because it was very cheap):
- ~USD 15 at amazon.com: [Archive.is] Amazon.com: Intenso Micro Line 32GB Stick 2.0 USB: Computers & Accessories
- ~EUR 5 Amazon.de: [Archive.is] Intenso Micro Line 32 GB USB-Stick USB 2.0 schwarz: Amazon.de: Computer & Zubehör
According to [Wayback] USB Sticks | Intenso, these devices are manufactured by or for this German company:
Intenso International GmbH
Gutenbergstraße 2
49377 Vechta, Germany
Indeed the conclusion of Jilles and Mike, while figuring out the type of USB PCB, was already that opening up the device could give an indication in what geographic region or what era these fakes might originate from:
- [Archive.is] _MG_ on Twitter: “Oh sure. You know how much I want to find exact matches though :) Though, in this case it may point toward the country of origin of whoever built it.… “
- [Archive.is] Jilles on Twitter: “Yeah or to a specific decade the hardware implant was bought in. The Kingston’s are 10 years old for instance. And they come with markings on the module.… https://t.co/mMNp00qLke”
Meta-information is information too, and especially important in forensics.
Fake Ledger hardware wallet video
Mike also created a video. It is below the signature.
This was the tweet about it: [Archive.is] _MG_ on Twitter: “I sat down and walked through the Ledger Wallet implant. From phish, to Amazon poisoning attack, to implant, and what’s next. “
Attribution
As Jilles mentioned, attribution is important, though both Mike and Jilles hardly sees that with red teams. So thanks Mike and Jilles for doing the grunt work.
[Archive.is] Jilles on Twitter: “Thanks @_MG_! One of the hard things about creating cool stuff for red teams is that you usually cannot share what epic stuff you did, apart from your team and the client. Unless… You see one of your methods in the wild. And really love the tiny USB modules being used here.… https://t.co/Cs4rzvuNrT”
[Archive.is] Jilles on Twitter: “I have actually been working on assignments where attribution, purpose and forensics of discovered implants had to take place. Not a red team exercise.… “
–jeroen
The Wiert Corner - irregular stream of stuff 
Leave a Reply