On 19 November, a Reddit user warned the Monero community about CLI binaries being compromised. Soon after it was brought to light, the issue escalated and the official Monero website acknowledged having been hacked. The hack was intended to deliver currency-stealing malware to users who were downloading wallet software, according to a blog released by officials.
The attack took place on Monday and users were promptly asked to check the hash of the downloaded CLI binaries. They were also asked to delete the files in case of a mismatch, while also being told not to run these compromised binaries. According to a report analysing the attack, the malicious Linux binary added new functions to existing ones. One of the functions, “Call new seed function,” was reported to be immediately called after the user either opened a new wallet or created one.
It sent the cryptographic code used to access the wallet funds to a server at node.hashmonero[.]com, which in turn sent these funds to the servers located at node.xmrsupport[.]co and 45.9.148[.]65. The Windows version of the malware carried out an almost similar attack sequence, with changes in the function names.
How to detect?
According to the blog, users with firewalls or proxy must detect if they had any connections to or network traffic from the aforementioned servers. If found, they must delete all the binaries mentioned and verify the hashes of their Monero setup or installer file.
According to the analysis, the recommendations made to users were to install an antivirus and use a firewall. It included,
“If you already use an antivirus: it may be a good idea to not exclude a specific folder in your antivirus when using Monero (or other miners), and if needed, only do so after the hashes have been verified.”
Apart from these measures users were also advised to be alert and monitor their account/wallets for the next few days and verify all transactions. The Monero team has also issued a warning about the attack and noted,
“The binaries available on this website were compromised for a short time.”
The team has also informed the community that the matter was being investigated and that updates will be provided soon.