• DummiesHub believe in censorship free world
  • You will find here everything that can't find anywhere!
  • Sign Up Now!
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5

Official Monero Site Hacked to Distribute Cryptocurrency Stealing Malware

What an irony — someone hacked the official website of the Monero cryptocurrency project and quietly replaced legitimate Linux and Windows binaries available for download with malicious versions designed to steal funds from users' wallets.

[Image: aKMQg0e.jpg]

As the news brust a tweet by dark.fail appeared notifying the followers:
[Image: njp5Sus.png]

Following an immediate investigation, the Monero team today also confirmed that its website, GetMonero.com, was indeed compromised, potentially affecting users who downloaded the CLI wallet between Monday 18th 2:30 am UTC and 4:30 pm UTC.

At this moment, it's unclear how attackers managed to compromise the Monero website and how many users have been affected and lost their digital funds.

According to an analysis of the malicious binaries done by security researcher BartBlaze, attackers modified legitimate binaries to inject a few new functions in the software that executes after a user opens or creates a new wallet.
[Image: jUEoely.jpg]

The malicious functions are programmed to automatically steal and send users' wallet seed—sort of a secret key that restores access to the wallet—to a remote attacker-controlled server, allowing attackers to steal funds without any hassle.
Quote:"As far as I can see, it doesn't seem to create any additional files or folders - it simply steals your seed and attempts to exfiltrate funds from your wallet," the researcher said.

At least one GetMonero user on Reddit claimed to have lost funds worth $7000 after installing the malicious Linux binary.
Quote:"I can confirm that the malicious binary is stealing coins. Roughly 9 hours after I ran the binary, a single transaction drained my wallet of all $7000," the user wrote. "I downloaded the build yesterday around 6 pm Pacific time."
In The Name of Lord Rama
credits: Blaze https://bartblaze.blogspot.com/2019/11/m...mised.html 
Post on Reddit:

Github issue:

Linux binary

Thanks to user nikitasius I was able to retrieve the malicious binary:

This binary is an ELF file with the following properties:
  • MD5: d267be7efc3f2c4dde8e90b9b489ed2a
  • SHA-1: 394bde8bb86d75eaeee69e00d96d8daf70df4b0a
  • SHA-256: ab9afbc5f9a1df687558d570192fbfe9e085712657d2cfa5524f2c8caccca31
  • File type: ELF
  • Magic: ELF 64-bit LSB shared object, x86-64, version 1 (GNU/Linux), dynamically linked (uses shared libs), for GNU/Linux 3.2.0, from 'x)', not stripped
  • File size: 27.63 MB (28967688 bytes)
When comparing the legitimate file and this ELF file, we notice the file size is different, and a few new functions have been added:


This function is immediately called after either opening or creating a new wallet, as can be seen in Figure 1 and 2 below.
 [Image: create_wallet.PNG]Figure 1 - Create wallet (legitimate) [Image: seed.png]Figure 2 - Call new seed function

The seed will be sent to: node.hashmonero[.]com.


As you may have guessed, this function will send data off to the CC or C2 (command and control) server - this will be stolen funds.
 [Image: sendtocc.PNG]Figure 3 - Send to cc

Sending funds to the C2 is handled using an HTTP POST request to the following C2 servers:
  • node.xmrsupport[.]co
  • 45.9.148[.]65

As far I can see, it doesn't seem to create any additional files or folders - it simply steals your seed and attempts to exfiltrate funds from your wallet.

Windows binary

The C2 server 45.9.148[.]65 also hosts a Windows binary with the following properties:
  • MD5: 72417ab40b8ed359a37b72ac8d399bd7
  • SHA-1: 6bd94803b3487ae1997238614c6c81a0f18bcbb0
  • SHA-256: 963c1dfc86ff0e40cee176986ef9f2ce24fda53936c16f226c7387e1a3d67f74
  • File type: Win32 EXE
  • Magic: PE32+ executable for MS Windows (console) Mono/.Net assembly
  • File size: 65.14 MB (68302960 bytes

The Windows version is essentially doing the same things as the Linux version - stealing your seed and wallet funds - the function names are just different, e.g. _ZN10cryptonote13simple_wallet9send_seedERKN4epee15wipeable_stringE.
 [Image: seed-win.PNG]Figure 4 - Send to cc

  Note: What is a hash? A hash is a unique identifier. This can be for a file, a word, ... It is preferred to use SHA256 hashes for file integration checks.

You may also use the following Yara rule to detect the malicious or compromised binaries:
Download Yara (and documentation) from:

  • Install an antivirus, and if possible, use a firewall (free or paid is of less importance);
  • If you already use an antivirus: it may be a good idea to not exclude a specific folder in your antivirus when using Monero (or other miners), and if needed, only do so after the hashes have been verified;
  • Restore your seed or account;
  • Monitor your account/wallet for the next days and verify there have been no fraudulent transactions. Contact the Monero team for support.
Note: Especially go through the steps if at any point you downloaded, used or installed new binaries between these dates: Monday 18th 1:30 AM UTC and 5:30 PM UTC. Download the latest version from: https://web.getmonero.org/downloads/.

Monero team statement
The Monero team has issued a statement as follows:

Warning: The binaries of the CLI wallet were compromised for a short time:

I expect this statement to be updated the following days, so monitor it as well.
In The Name of Lord Rama

Forum Jump:

Users browsing this thread: 1 Guest(s)