{"id":15103,"date":"2019-04-16T08:10:08","date_gmt":"2019-04-16T16:10:08","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/04\/16\/news-8852\/"},"modified":"2019-04-16T08:10:08","modified_gmt":"2019-04-16T16:10:08","slug":"news-8852","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/04\/16\/news-8852\/","title":{"rendered":"Electrum Bitcoin wallets under siege"},"content":{"rendered":"

Credit to Author: Malwarebytes Labs| Date: Tue, 16 Apr 2019 15:00:00 +0000<\/strong><\/p>\n

By Adam Thomas, with additional contributions from J\u00e9r\u00f4me Segura, Vasilios Hioueras and S!Ri<\/em><\/p>\n

Since at least late December 2018, many users of the popular Electrum Bitcoin wallet<\/a> have fallen victim to a series of phishing attacks, which we estimate netted crooks well over 771 Bitcoins\u2014an amount equivalent to approximately $4 million USD at current exchange rates. <\/p>\n

Threat actors were able to trick users into downloading a malicious version of the wallet by exploiting a weakness in the Electrum software.<\/p>\n

As a result, in February<\/a> the developers behind Electrum decided to exploit the same flaw in their own software in order to redirect users to download the latest patched version. The software was in such trouble that in March<\/a>, developers began exploiting another vulnerability unknown to the public, essentially attacking vulnerable clients to keep them from connecting to bad nodes.<\/p>\n

Shortly after, a botnet launched distributed denial of service (DDoS) attacks<\/a> against Electrum servers for what is believed to be retaliation against developers for trying to fix the bug. Attackers reversed the scenario so that legitimate nodes became so overwhelmed that older clients had to connect to malicious nodes.<\/p>\n

In this post, we shed light on the phishing scheme used to push the malicious Electrum update, discuss where the stolen funds have gone, and finally look at the malware infections directly involved with the DDoS botnet.<\/p>\n

Electrum wallet 101<\/h3>\n

In order to get a better idea of how these attacks became so successful, it is helpful to have a basic understanding of how the Electrum wallet functions.<\/p>\n

Known as a \u201clightweight\u201d Bitcoin wallet, Electrum implements a variation of a technique described in Satoshi Nakamoto\u2019s Bitcoin white paper<\/a>\u200b<\/a> called Simplified Payment Verification (SPV). SPV allows\u200b \u200ba user to send and receive transactions without downloading a full copy of the Bitcoin blockchain (which is hundreds of gigabytes in size). <\/p>\n

Instead, Electrum operates in a client\/server configuration. The wallet (client) is programmed by default to connect to a network of peers (server) in order to verify that transactions are valid. <\/p>\n

While this has historically been a fairly secure method of transacting, attackers have taken advantage of the fact that anyone is allowed to operate as a public Electrum peer. As shown below, there has been a substantial increase in the number of peers active on the Electrum network: <\/p>\n

\n
\"\"
\ufeffSource: http:\/\/vps.hsmiths.com:49001\/munin\/hsmiths.com\/vps.hsmiths.com\/electrumx_peers.html <\/em><\/figcaption><\/figure>\n<\/div>\n

Fake Electrum wallet update notification<\/h3>\n

On December 26, 2018, the developer of Electrum issued a public warning on the official GitHub page providing some information about an ongoing attack: <\/p>\n

\n

\u200bTo users: when you broadcast a transaction, servers can tell you about errors with the transaction. In Electrum versions before 3.3.3, this error is arbitrary text, and what’s worse, it is HTML\/rich text (as that is the Qt default). So the server you are connected to can try to trick you by telling you to install malware (disguised as an update). You should update Electrum from the official website so that servers can no longer do this to you. If you see these messages\/popups, just make sure you don’t follow them and that you don’t install what they tell you to install. The messages are just messages, they cannot hurt you by themselves.<\/em><\/p>\n<\/blockquote>\n

The threat actors basically conducted a Sybil attack<\/a> on the Electrum network by introducing more malicious nodes than honest nodes.<\/p>\n

\n
\"\"
Legitimate Electrum wallet app showing malicious nodes<\/figcaption><\/figure>\n<\/div>\n

If a user connects to a malicious node (a high likelihood), and attempts to send a transaction through it, it would be blocked due to the weakness in Electrum allowing arbitrary HTML\/rich text to be received and displayed, such as the fake update message seen below:<\/p>\n

\n
\"\"
Phishing code injected into Electrum app when attempting to send Bitcoins<\/em><\/figcaption><\/figure>\n<\/div>\n

This second stage of the attack tricks the user into installing a malicious version of the Electrum wallet. Two different rogue projects were active on Github from around December 21 through December 27. <\/p>\n

hxxps:\/\/github.com\/electrum-project\/electrum\/releases\/tag\/3.4.1
hxxps:\/\/github.com\/electrum-wallet\/electrum\/releases <\/pre>\n
\n
\"\"
Malicious Electrum app repository<\/figcaption><\/figure>\n<\/div>\n
Malicious Electrum wallets<\/h3>\n
For practical purposes, we will refer to the following malware as Variant 1 and Variant 2, however, further research has revealed that the actors behind this specific campaign have been in operation for quite some time. Thus, it seems likely that there were other variations of this malware in existence prior to December 21, 2018. Variants 1 and 2 appear to be operated by distinct actors based on several differences in the malware. <\/p>\n
Variant 1<\/strong><\/h4>\n
Variant 1 is unique in the fact that malware authors have implemented a function to upload stolen wallet keys and seed data to a remote server. Additional effort has been made to ensure that this function is kept hidden by obfuscating the data exfiltration code inside a file not normally found in Electrum named initmodules.py. <\/p>\n
\n
\"\"
Rogue module responsible for data exfiltration<\/figcaption><\/figure>\n<\/div>\n
As mentioned, the exfiltration domains are not visible in the above code and are instead constructed during execution of the malware. This is most likely a technique used by the malware authors in order to make the code contained within initmodules.py appear legitimate. <\/p>\n
In addition to the theft of wallet data, any balance present in the wallet is sent to one of several pre-programmed public addresses under control of the attackers. The destination address chosen is dependent on the address format utilized by the infected users\u2019 Electrum wallet. <\/p>\n
Pay-to-PubkeyHash (P2PKH) addresses are the default in use during setup and likely the most common address type in use by the casual Bitcoin user. This fact is evident when looking up the activity of each address. <\/p>\n
14MVEf1X4Qmrpxx6oASqzYzJQZUwwG7Fb5<\/em> (P2PKH address type)
Total Received: 202.91141530 BTC ~ 776,243.23 USD

bc1q9h36cyfnqcxjeuw629kwmnp5a7k5pky8l2kzww <\/em>
Total Received: 0.01927492 BTC ~ 73.75 USD

1rTt8GePHv8LceXnujWqerUd81U29m857<\/em>
Total Received: 0 BTC

3CrC4UitJqNqdkXY5XbJfCaGnbxHkKNqzL<\/em>
Total Received: 15.22210788 BTC ~ 58,239.77 USD

1FmxAHft8trWjhRNvDsbjD8JNoSzDX8pfD<\/em>
Total Received: 0 BTC <\/pre>\n
Variant 1 Bitcoin total: 218.1527981 BTC<\/strong>
Variant 1 USD total: ~$1,101,034.00 <\/strong><\/p>\n
\"\"
Sample extended Private Key (xprv) sent to malicious server using HTTP POST <\/figcaption><\/figure>\n
\"\"
Sample wallet seed words sent to malicious server using HTTP POST<\/figcaption><\/figure>\n
All of the malicious data exfiltration domains observed during our analysis of Variant 1 were created at the same time and all have been observed resolving to the IP address 31.31.196.86. This address belongs to Reg.ru, a hosting company based in Moscow, Russia. <\/p>\n
Variant 1 binaries are also unique from later variants due to the fact that its Windows installers have been digitally signed.<\/p>\n
\n
\"\"
Malicious app using a digital certificate<\/figcaption><\/figure>\n<\/div>\n
Interestingly, the digital certificate used to sign one of the malicious Windows Electrum files (EIZ Ltd) has recently been used to sign an unrelated malware<\/a>. <\/em><\/p>\n
Variant 2 <\/strong><\/h4>\n
Since Variant 1 was so successful in stealing substantial amounts of Bitcoin, it seemed almost inevitable that additional attacks would be mounted by threat actors looking to cash in on this reasonably easy scheme. Surely enough, a second variant of these malicious Electrum wallets appeared. This variant has attacked quite aggressively, overtaking the Electrum network and resulting in the theft of more Bitcoin than Variant 1. <\/p>\n
Instead of redirecting victims to a malicious Github site, Variant 2 hosts the malicious downloads on a domain with similar spellings as the legitimate Electrum download site. The HTML content is essentially a mirror image. <\/p>\n
\n
\"\"
Fake website, a copy-cat of the legitimate one <\/figcaption><\/figure>\n<\/div>\n
The threat actors seem to have a good understanding of Electrum and its code. For example, they disabled auto updates, removed prompts, such as “Yes I am sure”, and even took away the ability to perform Replace-by-Fee (RBF) transactions. <\/p>\n
\n
\"\"
Contents of main_window.py<\/figcaption><\/figure>\n<\/div>\n
Replace-by-Fee is a function that was added to the Bitcoin codebase later on in development that would allow users to essentially create a double spend transaction. In this case, if you knew about this function (and probably few do), you could reverse the stolen funds transfer by double spending the input using a higher fee.<\/p>\n
\n
\"\"
Replace-by-Fee function commented out in screens.py code<\/figcaption><\/figure>\n<\/div>\n
For example, if you installed the malicious wallet and lost a bunch of Bitcoin, one of the only ways you could get it back would be by attempting a RBF transaction to reverse the malicious one. But you’d have to act quick before the malicious one was confirmed. By disabling this feature, the threat actors made sure this wouldn’t be possible.<\/p>\n
Below is the modified source code of Variant 2, a paytoedit.pyc script file redirecting payment to a hard-coded attacker Bitcoin address: <\/p>\n
\n
\"\"
Bitcoin address that will receive stolen funds<\/figcaption><\/figure>\n<\/div>\n
bc1qhsrl6ywvwx44zycz2tylpexza4xvtqkv6d903q<\/em>
Total received: 187.8298 BTC \/ 941,436 USD

bc1q92md7868uun8vplp9te0vaecmxyc5rrphdyvxg<\/em>
Total received: 55.9948 BTC \/ 201,326 USD

bc1q7hsnpd794pap2hd3htn8hszdfk5hzgsj5md9lz<\/em>
Total received: 36.7358 BTC \/ 126,972 USD

bc1ql0p2lrnnxkxnw52phyq8tjr7elsqtnncad6mfv
Total received: 75.2927 BTC \/ 291,342 USD

bc1qyjkcthq9whn3e8h9dd26gjr9kd8pxmqdgvajwv
Total received: 21.8628 BTC \/ 84,678 USD

bc1qvr93mxj5ep58wlchdducthe89hcmk3a4uqpw3c
Total received: 27.3636 BTC \/ 138,733 USD

bc1qcla39fm0q8ka8th8ttpq0yxla30r430m4hgu3x 
Total received: 232.6469 BTC \/ 1,166,068 USD
<\/pre>\n
Variant 2 Bitcoin total: 637.7264 BTC<\/strong>
Variant 2 USD total: ~$2,950,555.00 <\/strong><\/p>\n
Where have all the coins gone? <\/h3>\n
Some simple blockchain analysis on the funds stolen by Variant 1 show us that the attackers have broken the BTC down into smaller amounts. In this case, 48.36 BTC is re-grouped mostly into 3.5 BTC amounts followed by 1.9 BTC amounts. <\/p>\n
Such a pattern is likely evidence that a money laundering technique known as “smurfing” is being used. With 1.9 BTC equal to approximately $7,000 USD, deposits of this amount are unlikely to trigger a currency transaction report (CTR), as this amount is under the $10,000 threshold. <\/p>\n
\n
\"\"
Smaller chunks of Bitcoin being laundered<\/figcaption><\/figure>\n<\/div>\n
Finally, the 11 outputs seen above are combined with an additional 15 inputs before being sent to 329nUnJxz5zgr4vnNPu8JNwpa3qEJfucQX, an address that feeds into the well-known<\/a> hot wallet address for the cryptocurrency exchange Bitfinex.<\/p>\n
\n
\"\"
First step before reaching Bitfinex wallet<\/figcaption><\/figure>\n<\/div>\n
\n
\"\"
Final step before reaching Bitfinex hot wallet (1Kr6QSydW9bFQG1mXiPNNu6WpJGmUa9i1g) <\/figcaption><\/figure>\n<\/div>\n
On Sunday, April 14, we noticed that the attackers behind Variant 2 had just cashed out their newest wallet:<\/p>\n
\n
\"\"
Variant 2 Bitcoin wallet notification<\/figcaption><\/figure>\n<\/div>\n
Many of the movements of stolen funds from Variant 2 appear to follow a similar pattern. Let\u2019s take a look at a recent withdrawal of 38.38517511 BTC from attacker address \u201cbc1qhsrl6ywvwx44zycz2tylpexza4xvtqkv6d903q\u201d. The total output is always split into 2 outputs:<\/p>\n
\n
\"\"
Transaction split in two outputs<\/figcaption><\/figure>\n<\/div>\n
Taking note of the transfer of 36.38011271 BTC which we will revisit later, let\u2019s first follow the transfer of 2.0050624 BTC to address \u201c1BCtXcP3gc7FygZMegeKUPsogo68aKRSPA\u201d followed by \u201c1wotccCFTuLQdCv46Bz3zqcosDCDwAWhd\u201d. We see a transaction containing 2 outputs in which address \u201c3DvWYYkzgHbyBgUTSjtPsLmkzs1R9frSrz\u201d consumes all of the funds. The other output named \u201cnot-address\u201d, is what is known as an OP_RETURN<\/a> script opcode. This opcode is typically used to record data on the blockchain. <\/p>\n
\n
\"\"
OP RETURN script opcode<\/figcaption><\/figure>\n<\/div>\n
Indeed, the transaction contains some encoded data most likely stored as part of a multi-signature transaction<\/a>:<\/p>\n
\n
\"\"<\/figure>\n<\/div>\n
While the exact purpose of the data stored using OP_RETURN is unknown, it doesn\u2019t matter too much and we can still follow the forward movement of Variant 2 BTC funds in order to learn their destination: <\/p>\n
\n
\"\"<\/figure>\n<\/div>\n
The next largest output, 1.96991794, from the prior transaction, is consumed by transaction ID f5abb14ffc1d57494934d10a2114b2e4fc812b7e18f73d0f6202a995d2bea1be, which contains 445 inputs totaling 100.02103004 BTC.<\/p>\n
\n
\"\"<\/figure>\n<\/div>\n
These 100 BTC are then moved to address 1NDyJtNTjmwk5xPNhjgAMu4HDHigtobu1s, the known hot wallet address for Binance<\/a>. Let\u2019s take a quick look at the destination of the 36.38011271 BTC which we noted earlier. In the interest of brevity, we follow a similar path forward tracking funds as they are split up in similar fashion as those above:<\/p>\n
\n
\"\"<\/figure>\n<\/div>\n
As we see, 25.8 BTC are sent to the address \u201c3MRqgoPe6vBNVEn9Fo85qK7zvaLb9e9T2x\u201d. Many addresses associated with this wallet appear to be associated with what are seemingly scam websites offering to \u201cdouble your Bitcoin\u201d.<\/p>\n
3FF1uZ5oEaSZYKCvGbywu39djsknrGeu96<\/a> – Continvest
3AxHFZ2ivJUBgveyNj1PQak6FsKBcLJ42N<\/a> – Bitcoin Doubler<\/p>\n
\n
\"\"<\/figure>\n<\/div>\n
Since it is highly unlikely that you can simply double any amount of Bitcoins that you send, it is probable that these websites exist to offer another function such as mixing\/laundering of funds for criminals. <\/p>\n
Countermeasures and reprisals<\/h3>\n
Faced with such widespread attacks against their user base, the developers behind Electrum decided to exploit the very same vulnerability in order to display a legitimate update notification<\/a>. However, this was not enough to stop the attackers, so later Electrum decided to run denial of service attacks against their own users to prevent them from connecting to rogue nodes.<\/p>\n
\n
\n
\n
Electrum clients older than 3.3 can no longer connect to public electrum servers. We started exploiting a DOS vulnerability in those clients, in order to force their users to upgrade, and to prevent exposure to phishing messages. Linux Tail users should download our Appimage.<\/p>\n
— Electrum (@ElectrumWallet) March 15, 2019<\/a><\/p><\/blockquote>\n