A compromised cryptocurrency software spotted installing AZORult malware

• Attackers compromised the Github account of Denarius Cryptocurrency project lead and uploaded a backdoored version of Denarius Windows client v3.3.6.
• The backdoored version of Denarius Windows client installer also installed AZORult malware.

Attackers have compromised the Github account of Denarius Cryptocurrency project lead and uploaded a backdoor version of Denarius Windows client v3.3.6. A security researcher named ‘Misterch0c’ spotted this backdoored Denarius client and notified ZDNet.

ZDNet worked closely with Yonathan Klijnsma, a threat researcher at RiskIQ and confirmed Misterch0c’s findings. Denarius cryptocurrency project lead Carsen Klock disclosed that he reused an older password, which resulted in the compromise of his Github account.

AZORult malware

Researchers Misterch0c and Klijnsma analyzed the backdoored Denarius Windows client installer and confirmed that the Denarius client installer installed AZORult malware.

“The .bat file is started, which it will start the other bins in sequence, with smaller one being AZORult,” Klijnsma said.

This AZORult malware, once installed on a system, would perform various malicious activities such as,

• Steal user data such as browser cookies, browser passwords, chat histories, passwords for FTP clients, as well as wallet database files from cryptocurrency clients.
• The stolen information would then be sent to a C&C server located at IP address 51[.]15[.]243[.]101.

Klijnsma analyzed the IP address against RiskIQ’s database and detected that the IP address (51[.]15[.]243[.]101) hosted an AZORult control panel since July 2018.

Denarius installer infected almost 3200 users

Another security researcher under the name ‘prsecurity’ claimed that the backdoored Denarius client installer infected roughly 3200 users.

“This IP address was also linked to other malware samples, all who appeared to be backdoored cryptocurrency software, and all who communicated with this same domain,” Misterch0c said.

Security researcher Misterch0c and ZDNet contacted Carsen Klock, the Denarius cryptocurrency project lead and reported the backdoored Denarius client. Upon learning this, Klock removed the backdoored Windows client from the Denarius cryptocurrency's official GitHub account.