Backdoored cryptocurrency software found serving AZORult malware

Windows client for Denarius cryptocurrency found compromised, but clues suggest the same hackers also backdoored many more other cryptocurrency software clients over the past few months.

EXCLUSIVE --Hackers have compromised the GitHub account of the Denarius cryptocurrency project lead and have backdoored the Windows client with the AZORult infostealer malware.

The compromised Denarius cryptocurrency client --which node operators run on their servers to support the Denarius blockchain-- was spotted earlier today by a security researcher named Misterch0c, who alerted ZDNet.

Also: Online security 101: Tips for protecting your privacy

ZDNet independently confirmed the researcher's findings with the help of RiskIQ threat researcher Yonathan Klijnsma.

Carsen Klock, the top dev behind the Denarius cryptocurrency, said the incident occurred because he reused an older password to secure his GitHub account.

This allowed a hacker to silently access his GitHub account and upload a backdoored version of the Denarius Window client --version 3.3.6, released on January 22.

According to Misterch0c and Klijnsma, this file (VirusTotal link) was a modified Denarius client installer that installed a version of the AZORult malware.

"The .bat file is started, which it will start the other bins in sequence, with smaller one being AZORult," Klijnsma said after analyzing the backdoored Denarius installer.

AZORult malware inside the Denarius client installer

Image: Yonathan Klijnsma

Once installed on a user's computer, AZORult can steal a vast array of user data, such as browser passwords, browser cookies, passwords for FTP clients, chat histories, and most importantly, wallet database files from popular cryptocurrency clients.

Misterch0c told ZDNet that all the data collected from infected users would then be sent to a command and control (C&C) located at 51.15.243.101.

After looking up the IP address in RiskIQ's huge database of historical threat intelligence data, Klijnsma told ZDNet that the 51.15.243.101 had hosted an AZORult control panel since July 2018.

AZORult control panel

Image: Yonathan Klijnsma

Another security researcher who managed to gain access to the malware's C&C server claimed the backdoored Denarius installer infected roughly 3,200 users.

According to Misterch0c, this IP address was also linked to other malware samples, all who appeared to be backdoored cryptocurrency software, and all who communicated with this same domain.

This appears to be a very well-organized hacking spree that targeted cryptocurrency aficionados by backdooring cyrptocurrency node clients and wallet apps.

One of the cryptocurrencies included in Misterch0c's list is New York Coin (NYC), which admitted two weeks ago that a 51% attack carried out in October was most likely caused by malware that was slipped into its wallets before the attack.

The New York Coin 51% attack resulted in hackers taking control of more than half of all NYC blockchain nodes and using this superior position to issue and immediately confirm illicit transactions that siphoned NYC coins from the wallets of the Trade Satoshi cryptocurrency exchange. Trade Satoshi later delisted New York Coin from its index following this attack.

After getting contacted by ZDNet and Misterch0c, Klock, the main Denarius dev, removed the backdoored Windows client from the currency's official GitHub attack before this article's publication. At the time of writing, there have not been any 51% attacks against the Denarius blockchain.


Must read


Nonetheless, because AZORult is such an intrusive threat that can collect all sorts of data such as passwords, cookies, and wallet files, this doesn't mean that the hacker group behind this hacking spree acted in the same way after every compromised cryptocurrency software client.

In many cases, they might have been satisfied with emptying out the wallets of users who installed any of the other backdoored clients, rather than take over an entire blockchain to defraud cryptocurrency exchanges.

Article updated with victim count tweet.

Related stories: