Home Altcoin Backdoored cryptocurrency software found serving AZORult malware

Backdoored cryptocurrency software found serving AZORult malware

Hackers have compromised the GitHub account of the Denarius cryptocurrency project lead and have backdoored the Windows client with the AZORult infostealer malware.

The compromised Denarius cryptocurrency client –which node operators run on their servers to support the Denarius blockchain– was spotted earlier today by a security researcher named Misterch0c, who alerted ZDNet.

ZDNet independently confirmed the researcher’s findings with the help of RiskIQ threat researcher Yonathan Klijnsma.

Carsen Klock, the top dev behind the Denarius cryptocurrency, said the incident occurred because he reused an older password to secure his GitHub account.

This allowed a hacker to silently access his GitHub account and upload a backdoored version of the Denarius Window client —version 3.3.6, released on January 22.

According to Misterch0c and Klijnsma, this file (VirusTotal link) was a modified Denarius client installer that installed a version of the AZORult malware.

“The .bat file is started, which it will start the other bins in sequence, with smaller one being AZORult,” Klijnsma said after analyzing the backdoored Denarius installer.

AZORult malware inside the Denarius client installer
Image: Yonathan Klijnsma

Once installed on a user’s computer, AZORult can steal a vast array of user data, such as browser passwords, browser cookies, passwords for FTP clients, chat histories, and most importantly, wallet database files from popular cryptocurrency clients.

Misterch0c told ZDNet that all the data collected from infected users would then be sent to a command and control (C&C) located at

After looking up the IP address in RiskIQ’s huge database of historical threat intelligence data, Klijnsma told ZDNet that the had hosted an AZORult control panel since July 2018.

AZORult control panel
Image: Yonathan Klijnsma

According to Misterch0c, this IP address was also linked to other malware samples, all who appeared to be backdoored cryptocurrency software, and all who communicated with this same domain.

Wow… I think this is bigger than I thought. Look at all these shitcoins wallets that were compromised… pic.twitter.com/gim2mkeXYU— 𝙈𝙞𝙨𝙩𝙚𝙧𝙘𝙝0𝙘 (@MisterCh0c) February 5, 2019

This appears to be a very well-organized hacking spree that targeted cryptocurrency aficionados by backdooring cyrptocurrency node clients and wallet apps.

One of the cryptocurrencies included in Misterch0c’s list is New York Coin (NYC), which admitted two weeks ago that a 51% attack carried out in October was most likely caused by malware that was slipped into its wallets before the attack.

The New York Coin 51% attack resulted in hackers taking control of more than half of all NYC blockchain nodes and using this superior position to issue and immediately confirm illicit transactions that siphoned NYC coins from the wallets of the Trade Satoshi cryptocurrency exchange. Trade Satoshi later delisted New York Coin from its index following this attack.

After getting contacted by ZDNet and Misterch0c, Klock, the main Denarius dev, removed the backdoored Windows client from the currency’s official GitHub attack before this article’s publication. At the time of writing, there have not been any 51% attacks against the Denarius blockchain.

Nonetheless, because AZORult is such an intrusive threat that can collect all sorts of data such as passwords, cookies, and wallet files, this doesn’t mean that the hacker group behind this hacking spree acted in the same way after every compromised cryptocurrency software client.

In many cases, they might have been satisfied with emptying out the wallets of users who installed any of the other backdoored clients, rather than take over an entire blockchain to defraud cryptocurrency exchanges.


Please enter your comment!
Please enter your name here

Must Read

Bitgo Plans to Launch Wrapped Bitcoin on the Tron Blockchain

Members of the crypto ecosystem will soon be able to leverage WBTC via the Tron (TRX) network. Just like the tokenized BTC created using Ethereum’s ERC20...

Ethereum’s Long Term Chart Is Extremely Simple To Read

The weekly Ethereum chart, as opposed to the daily chart, is simple and concise. There are 2 simple...

US Department of Transportation Says Blockchain Has Many Applications For Unmanned Aircraft Systems (Drones)

Blockchain technology could assist with adjusting and improving current technical challenges in the expanding business of commercial drone delivery, said the US...

Security tokens, blockchain settlement draw interest from institutions: MIT Bitcoin Expo panel

Amid growing competition between providers, institutions in the traditional finance space are looking at blockchain as another way to offer value to...

Networking 2.0 at Blockchain Life 2020

Make hundreds of connections at Blockchain Life 2020 The 5th Blockchain Life 2020 returns to Moscow on April 22-23 at the unique media...