The official site of Monero was found compromised after the discovery of a coin-stealer in its Linux 64-bit command line interface (CLI) that account owners can download from the site (http://getmonero.org).
The user who first discovered the malware noticed that the SHA256 hash of the downloaded CLI wallet did not match the one listed on the site, indicating that the file was tampered with. The user posted this on GitHub. The Monero team has confirmed that the site was indeed compromised, and is conducting an investigation.
The compromise happened within 24 hours before the initial discovery, dating it to November 18. The Monero Core Team recommends that users who downloaded binaries from the said site during this period should immediately check the integrity of the downloaded files. If the hashes do not match official ones as listed in their provided text, users must not run the binaries under any circumstance. And if they have already done so, transfer their funds immediately.
The Monero team has set up a secure fallback server to deliver the binaries for their account owners to download during the ongoing investigation. It is still unclear how many users had their funds stolen because of the malicious binaries. But one user did attest that his wallet was emptied by a single transaction within hours after downloading and running the binary.
Because of this case, users are reminded to double-check downloaded files before running them as a security precaution. Monero has published a guide for Linux, Windows, and Mac users to verify the validity of their downloaded binaries.
This case shows how cybercriminals continue to find lucrative opportunities from cryptocurrency mining activities. By spreading such mining malware, they utilize the resources of other processors or devices to mine cryptocurrency, unknown to users who may not be mining themselves.
Trend Micro’s midyear security report showed a decline in the number of cryptocurrency mining malware detections. However, this could also indicate that threat actors are trying more sophisticated routines and refining attack techniques.
In contrast, cybercriminals behind this recent attack targeted users who actively use trading platforms, rather than finding a way to maliciously mine, demonstrating how they could use different methods to profit from cryptocurrency mining.
Users who actively use trading platforms — and even those who don’t — should be wary of threats related to cryptocurrency-mining. Here are some ways to defend against such techniques:
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.