SparkCat Malware Campaign Targets Cryptocurrency Wallets
A new malware campaign, dubbed SparkCat, has been discovered that leverages a set of bogus apps on both Apple’s and Google’s respective app stores to steal victims’ mnemonic phrases associated with cryptocurrency wallets.
How the Malware Works
The attacks utilize an optical character recognition (OCR) model to exfiltrate select images containing wallet recovery phrases from photo libraries to a command-and-control (C2) server. This information is then used to compromise the victims’ cryptocurrency wallets.
The Role of OCR in the Malware
Kaspersky researchers Dmitry Kalinin and Sergey Puzan have identified the use of OCR models in the SparkCat malware campaign. These models are used to extract sensitive information from images, including wallet recovery phrases, and transmit it to a C2 server.
Similar Malware Campaigns
The SparkCat malware campaign is not an isolated incident. Similar malware campaigns, such as Atomic and Cthulhu, have been discovered that target users of the desktop operating system. These campaigns often exploit vulnerabilities in the native AppleScript framework to gain access to the system.
Exploiting AppleScript
Palo Alto Networks Unit 42 researchers Tom Fakterman, Chen Erlich, and Tom Sharon have noted that infostealers often exploit the AppleScript framework to gain access to the system. This framework provides extensive OS access and simplifies execution with its natural language syntax. Threat actors use this framework to trick victims via social engineering.
Conclusion
The SparkCat malware campaign highlights the importance of being vigilant when using mobile apps and online services. It also underscores the need for robust security measures to protect against infostealers and other types of malware.
Stay Informed
If you found this article interesting, follow us on Twitter and LinkedIn to read more exclusive content we post.
