When hacking means stealing, money should be made when exploiting vulnerabilities on entities that hold the money.
This time the victim is the privacy-focused cryptocurrency Monero, when it experienced hackers in compromising its official website with a coin-stealer. This malware was then delivered to users who were downloading the Monero wallet software.
The supply-chain attack was first discovered when a user reported that the cryptographic hash for a CLI (Command Line Interface) wallet downloaded from the site didn't match the hash listed on the page. Over the next several hours, users discovered that the miss-matching hash wasn't the result of an error, and instead was caused by a malware.
Site officials later confirmed that finding.
Monero's developers and and investigators acknowledge that the binaries of the CLI wallet had been compromised for a short time, saying that:
After analyzing the malicious Linux binary, the team found that the hackers added added a few new functions to the legitimate one.
One of the functions was called after a user opened or created a new wallet. This function is to send the wallet seed - which is the cryptographic secret used to access wallet funds - to a server located at node.hashmonero.com.
The malware then sent wallet funds to the servers located at node.xmrsupport.co and 45.9.148.65.
There was also a malicious Windows version of the CLI wallet, which carried out an almost identical attack sequence.
In its warning page, Monero said that:
CLI wallets are lightweight console programs, as opposed to GUI wallets, which have a graphical interface.
Users who downloaded binaries during that time, and failed to check the integrity of the files, should do so immediately: