Pierluigi Paganini November 20, 2019

The official website of the Monero Project has been compromised to deliver a coin stealer.

The official website of the Monero Project has been compromised to deliver a cryptocurrency stealer on November 18.

The hack was discovered after a user downloaded a Linux 64-bit command line (CLI) Monero binary that was containing a coin stealer.

The user discovered that the SHA256 hash calculated for the downloaded binary did not match the SHA256 hash listed on the official site, suggesting that the two files were different likely for the presence of a malicious code.

The user reported his discovery to the Monero team that confirmed the hack today.

“Yesterday a GitHub issue about mismatching hashes coming from this website was opened. A quick investigation found that the binaries of the CLI wallet had been compromised and a malicious version was being served.” reads an advisory published by Monero on the official website. “The problem was immediately fixed, which means the compromised files were online for a very short amount of time. The binaries are now served from another, safe, source. See the reddit post by core team member binaryfate.”

The Monero team recommends users who downloaded the CLI wallet from this its official website between Monday 18th 2:30 AM UTC and 4:30 PM UTC, to check the hashes of their binaries. In case the hashes don’t match the official ones (https://getmonero.org/downloads/hashes.txt), users have to delete the files and download them again. The Monero team suggests to avoid running the compromised binaries.

Monero maintainers published the links to guides that explain how to check the authenticity of their binaries on Windows (beginner) and Verify binaries on Linux, Mac, or Windows command line (advanced).

Guides on how to check if the downloaded binaries have the corrected hashes are available for Windows here and for Linux and macOS here.

Although Windows and macOS files haven’t been reported to be compromised, users of all platforms should check the hashes for all downloaded Monero binaries since all of them could’ve been switched with malicious versions.

Monero project contributor SerHack confirmed that the tainted binary was containing a coin stealer.

moneromanz, one of the users who downloaded the compromised Monero binaries, confirmed the presence of a coin stealer.

“I can confirm that the malicious binary is stealing coins. Roughly 9 hours after I ran the binary a single transaction drained the wallet,” said moneromanz. “I downloaded the build yesterday around 6pm Pacific time.”

“I have not completed any malware analysis as of yet, but I’d like to get to the bottom of whether the binary is limited to stealing xmr, or also tries to compromise the machine as a whole or any of its files,”.

Moneromanz upload the coin stealer to “https://anonfile[.]com/bbq8h9Bdn7/monero-wallet-cli” to allow other experts to analyze it. 

Pierluigi Paganini

(SecurityAffairs – hacking, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]