Official Monero Cryptocurrency Wallet Hacked And Injected With Coin-Stealing Malware

Monero wallet

When hacking means stealing, money should be made when exploiting vulnerabilities on entities that hold the money.

This time the victim is the privacy-focused cryptocurrency Monero, when it experienced hackers in compromising its official website with a coin-stealer. This malware was then delivered to users who were downloading the Monero wallet software.

The supply-chain attack was first discovered when a user reported that the cryptographic hash for a CLI (Command Line Interface) wallet downloaded from the site didn't match the hash listed on the page. Over the next several hours, users discovered that the miss-matching hash wasn't the result of an error, and instead was caused by a malware.

Site officials later confirmed that finding.

Monero's developers and and investigators acknowledge that the binaries of the CLI wallet had been compromised for a short time, saying that:

"CLI binaries available on http://getmonero.org may have been compromised at some point during the last 24h. Investigations ongoing."

After analyzing the malicious Linux binary, the team found that the hackers added added a few new functions to the legitimate one.

One of the functions was called after a user opened or created a new wallet. This function is to send the wallet seed - which is the cryptographic secret used to access wallet funds - to a server located at node.hashmonero.com.

The malware then sent wallet funds to the servers located at node.xmrsupport.co and 45.9.148.65.

There was also a malicious Windows version of the CLI wallet, which carried out an almost identical attack sequence.

Monero wallet hacked
A function that sends victims' wallet seed. (Credit: Blaze's Security Blog)

In its warning page, Monero said that:

"It's strongly recommended to anyone who downloaded the CLI wallet from this website between Monday 18th 2:30 AM UTC and 4:30 PM UTC, to check the hashes of their binaries. If they don't match the official ones, delete the files and download them again. Do not run the compromised binaries for any reason."

CLI wallets are lightweight console programs, as opposed to GUI wallets, which have a graphical interface.

Users who downloaded binaries during that time, and failed to check the integrity of the files, should do so immediately:

"If the hashes do not match, do NOT run what you downloaded. If you have already run them, transfer the funds out of all wallets that you opened with the (probably malicious) executables immediately, using a safe version of the Monero wallet (the one online as we speak is safe — but check the hashes)."
Published: 
22/11/2019