Incident Score: Analysis & Impact (ESPLED1776435883)

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Supply Chain Compromise (T1195) with high confidence (95%), with evidence including counterfeit Ledger Nano S Plus hardware wallets sold on a Chinese marketplace, and tampered hardware, trojanized software and Phishing: Spearphishing Link (T1566.001) with high confidence (90%), supported by evidence indicating shipped with a QR code directing users to a cloned phishing site. Under the Execution tactic, the analysis identified User Execution: Malicious File (T1204.002) with high confidence (90%), supported by evidence indicating trojanized Ledger Live app downloaded from phishing site and Command and Scripting Interpreter: Python (T1059.006) with moderate to high confidence (70%), supported by evidence indicating fake firmware labeled Nano S+ V2.1 impersonating legitimate update. Under the Persistence tactic, the analysis identified Pre-OS Boot: System Firmware (T1542.001) with moderate to high confidence (85%), supported by evidence indicating original secure element chip replaced with ESP32-S3 microcontroller and Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001) with moderate to high confidence (70%), supported by evidence indicating cross-platform malware distributed across Android, Windows, macOS, iOS. Under the Privilege Escalation tactic, the analysis identified Abuse Elevation Control Mechanism: Setuid and Setgid (T1548.001) with moderate confidence (60%), supported by evidence indicating fake Ledger Live app bypassed security warnings with hardcoded Genuine Check. Under the Defense Evasion tactic, the analysis identified Masquerading: Match Legitimate Name or Location (T1036.005) with high confidence (95%), supported by evidence indicating packaging appeared authentic, same price as official Ledger store, Subvert Trust Controls: Code Signing (T1553.002) with high confidence (90%), supported by evidence indicating iOS variant spread via Apple’s TestFlight to evade App Store reviews, and Indicator Removal: Timestomp (T1070.006) with moderate to high confidence (70%), supported by evidence indicating eSP32-S3 microcontroller markings scraped off to avoid detection. Under the Credential Access tactic, the analysis identified Input Capture: Keylogging (T1056.001) with high confidence (95%), supported by evidence indicating every PIN entry and seed phrase was stored in plaintext and Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001) with moderate confidence (60%), supported by evidence indicating wiFi/Bluetooth antenna included in counterfeit device. Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (95%), supported by evidence indicating wallet data exfiltrated upon use, seed phrases stored in plaintext. Under the Command and Control tactic, the analysis identified Application Layer Protocol: Web Protocols (T1071.001) with high confidence (90%), supported by evidence indicating data transmitted to attacker-controlled C2 servers (kkkhhhnnn.com) and Non-Application Layer Protocol (T1095) with moderate to high confidence (70%), supported by evidence indicating wiFi/Bluetooth antenna in counterfeit device. Under the Exfiltration tactic, the analysis identified Exfiltration Over C2 Channel (T1041) with high confidence (95%), supported by evidence indicating pIN entries and seed phrases transmitted to C2 servers. Under the Impact tactic, the analysis identified Resource Hijacking (T1496) with high confidence (90%), supported by evidence indicating cryptocurrency drained across 20 blockchains, $9.5M financial loss. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.