The malware was found in downloadable files of the Monero CLI wallet. According to Monero developers, the attack was active for a few minutes.
The developer team of Monero, a privacy-focused cryptocurrency, issued an alert to users of the CLI wallet, after verifying that some binary files of the software on the official download site were compromised with malware. The information was disclosed on Tuesday, November 19th, in a publication of the website.
According to the statement, downloads made from getmonero.org between Monday and Tuesday may contain malicious binary files. In this sense, they requested the users of the CLI wallet that had made downloads to verify the validity of these files.
The Monero community recommends that anyone who has downloaded the CLI wallet from this website, between Monday 18th at 2:30 a.m. and 4:30 p.m. CUT, check the hashes of their binaries. If they do not match the official ones, the files must be deleted and downloaded again. The compromised binary files cannot be run for any reason.
In a Reddit message posted by the Monero community, users are advised to verify the authenticity of their binary files, with which they were signed by the GPG key of Fluffypony, one of the main developers of the project. A guide is also provided to complete the process without mistakes on devices with Windows, Linux, and Mac OS X operating systems.
The attack was detected by a user identifying himself as nikitasius, who noted that when downloading the binaries of the Monero CLI wallet from getmonero.org, the hash of the downloaded files did not match those contained in the official GitHub repository of Monero. The main developers of the project stated that the problem was immediately solved; however, the contaminated files were available for about 35 minutes.
At least one user reported being affected by the malware, which drained his wallet of Monero (XMR) equivalent to about USD 7,000. The victim, who identifies himself as moneromanz, posted a Reddit message in which he confirms that the malicious binary is stealing coins. He said that, about 9 hours after executing the binary, a single transaction depleted his wallet of all USD 7,000.
A preliminary investigation indicated that the infected file is a Linux binary, to which illegitimate functions were added. The malware activates when opening or creating a new Monero CLI wallet and sends the seed to a server under the attacker’s control, then proceeding to empty the funds. It should be remembered that the seed is a set of mnemonic words that allow recovering the private key of the cryptocurrencies and signing transactions.
Monero investigators confirmed that, once the problem was detected, binary file downloads are used as a secure source and that they are currently conducting a detailed investigation to promptly inform about the details of the attack.
Among the recommendations, users who executed the binary files in the period indicated above were asked to immediately transfer the funds from all the wallets opened with the said executables to a secure version of the wallet.
By Willmen Blanco