Posted on Leave a comment

Nasty Electrum Botnet Steals Bitcoin Over $4.6 Million

An ongoing attack campaign  against Electrum bitcoin wallets infrastructure seems no sign to stop while the actor behind it keeps sharping their tactics while it’s now amasses almost 150,000 infected users, raising the amount of stolen users’ funds to USD 4.6 million.

Since at least late December 2018, many users of the popular Electrum Bitcoin wallet have fallen victim to a series of phishing attacks, by the team of cybercriminals that exploiting a vulnerability in Electrum wallets tricking unsuspecting users into downloading backdoor versions of the software.

Electrum fake notification injects into legitimate wallet app

In brief, the attackers added some malicious servers to the Electrum peer network which were designed to purposely display an error to legitimate Electrum wallet apps, urging them to download a malicious wallet software update from an unofficial GitHub repository.

The result of the attack eventually netted attackers well over 771 Bitcoins – an amount equivalent to approximately $4 million USD at current exchange rates. To protect Electrum users, the developers behind Electrum decided to exploit the same flaw in their own software in order to redirect users to download the latest patched version.

Electrum servers are currently under a DoS attack. We are working on a more robust version of the electrum server. In the meantime, affected users should disable auto-connect, and select their server manually.

Electrum Developers Tweets

Shortly after, a botnet launched distributed denial of service (DDoS) attacks against legitimate Electrum servers for what is believed to be retaliation against developers for trying to fix the bug. Attackers reversed the scenario so that legitimate nodes became so overwhelmed that older clients had to connect to malicious nodes.

According to Malwarebytes Lab’s the number of infected machines that downloaded the malicious client software and are unwillingly participating in the DDoS attacks has reached 152,000, which was less than 100,000 last week.

We have been able to correlate two distribution campaigns (RIG exploit kit and Smoke Loader) that are fueling this botnet by dropping malware we detect as ElectrumDoSMiner. Now, we have just identified a previously undocumented loader we call Trojan.BeamWinHTTP that is also involved in downloading ElectrumDoSMiner (transactionservices.exe).

Malwarebytes Research Lab’s conclude the attacker dropping more malware to expand their attacks.

According to the researchers, the largest concentration of the Electrum DDoS bots is reportedly located in Asia Pacific region (APAC), Brazil and Peru, with the botnet continually growing.

World map showing presence of bots part of the Electrum DDoS botnet

Since the updated versions of Electrum are no more vulnerable to the phishing attacks, users are advised to update their wallet apps to the latest version (3.3.4) by downloading it from the official site.

However for the Electrum wallet user, you can always configure your Ledger or Trezor hardware wallet as a multisig device while you operates Electrum. This will add more security layer while you transacts.

Trezor Multisig w/ Electrum

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.