The official website of the Monero Project has been compromised to serve a malware-infected version of the CLI (command-line interface) wallet.
The malicious file was available for download for around 14 hours and at least one of the users who downloaded the malware has had their funds stolen.
On Tuesday (November 18), a user noticed that the SHA256 hash sum of the 64-bit Linux binary he downloaded from the site did not match the one listed on it, which means that the file had been modified.
The Monero Project team began investigating and confirmed they’ve been compromised.
“It’s strongly recommended to anyone who downloaded the CLI wallet from [web.getmonero.org] between Monday 18th 2:30 AM UTC and 4:30 PM UTC, to check the hashes of their binaries. If they don’t match the official ones, delete the files and download them again. Do not run the compromised binaries for any reason,” they advised.
They pointed users towards two guides for checking the authenticity of downloaded binaries and to an official source of signed hashes, and reassured them that the “binaries are now served from another, safe, source.”
The investigation into how the attackers managed to switch the file without the Monero core team noticing is ongoing, but one of the team members confirmed in a reddit thread that the attackers managed to disable file integrity monitoring on the compromised box, and that’s why they didn’t notice the file switching immediately.
About the malicious binary
“I can confirm that the malicious binary is stealing coins. Roughly 9 hours after I ran the binary a single transaction drained the wallet. I downloaded the build yesterday around 6pm Pacific time,” an affected user shared.
“I have not completed any malware analysis as of yet, but I’d like to get to the bottom of whether the binary is limited to stealing xmr, or also tries to compromise the machine as a whole or any of its files.”
Security researcher Bart Blaze did a quick analysis of the malicious binary and noticed that a few new functions had been added to it, aimed at stealing wallet data crucial for exfiltrating funds from them.
“As far I can see, it doesn’t seem to create any additional files or folders – it simply steals your seed and attempts to exfiltrate funds from your wallet,” he noted.
He also confirmed that the Windows binary of the tool has also been compromised to do the same thing, and offered advice on what to do to protect oneself if they’ve been affected.
The importance of always checking the authenticity of downloaded binaries
“Monero is not the first, nor will it likely be the last cryptocurrency (in this case, its website and binaries) that gets compromised,” Blaze noted.
This incident serves to stress the importance of always checking the integrity of binaries downloaded from any online source.
More information about how the compromise was executed should be available in the coming days.