Over 152K Electrum-Using Machines Used in Botnet for DDoS Attacks

electrum-machines-botnet-ddos-attacksMalicious actors behind the distributed denial of service (DDoS) attacks against Electrum Bitcoin wallet users were seen switching to a new malware loader. The attacks previously used SmokeLoader and Rig exploit kit in the distribution campaigns.

Researchers from Malwarebytes Labs estimate that the stolen funds from Electrum’s infrastructure have reached $4.6 million. The botnet used to launch the DDoS attacks was initially detected to have just below 100,000 compromised machines, but an online tracker that monitors clients attacking electrumx servers detected that number rising to over 152,000 the next day. Notably, the botnet is only comprised of Windows machines.

The trojan ElectrumDoSMiner used to flood Electrum nodes with requests was seen being distributed through a new malware loader, which the researchers dubbed BeamWinHTTP (detected by Trend Micro as Trojan.Win32.CHAPAK.F). The number of malicious binaries designed to download the ElectrumDoSMiner is in the hundreds.

The DDoS attacks reportedly came after users were prompted to download a bogus update that consequently stole their cryptocurrencies. Presumably, this was the Electrum version 3.3.3 that was vulnerable to a phishing attack. Electrum developers have since released 3.3.4 to fix the issue.

The researchers’ analysis of IP addresses revealed that the Asia-Pacific region (APAC) and South America (Brazil and Peru in particular) have the most infected machines used in the Electrum DDoS botnet. The Trend Micro™ Smart Protection Network™ infrastructure, incidentally, detected the most DDoS-related attacks in Asia and the Americas (89% and 4% respectively) in the first quarter of 2019. Botnet malware, additionally, isn't a novel threat. We have seen also in the past quarter malware like AZORult, Amadey, Vidar, and SmokeLoader that are typically used in botnets and distributed by exploit kits.

Defending against botnet-related attacks

Slowdowns in internet speed could be a sign that a system is being used by a botnet. We highly recommend that users update all connected devices to their latest versions and avoid unintended exposure by following these security practices:

  • Enable the firewall for added protection and use the Wi-Fi Protected Access II (WPA2) security protocol.
  • Enable password protection for all applicable devices.
  • Modify default settings according to features that best suit user needs while keeping privacy and security intact.
  • Regularly check DNS settings to spot any indicators of suspicious activity in the network.
  • Replace factory default passwords with strong, complex ones to avoid botnets that use brute-force or dictionary attacks.

Indicators of Compromise (IoCs):

Trojan.BeamWinHTTP (detected as Trojan.Win32.CHAPAK.F):


ElectrumDoSMiner infrastructure:

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.