Home Altcoin Backdoored cryptocurrency software found serving AZORult malware

Backdoored cryptocurrency software found serving AZORult malware

Hackers have compromised the GitHub account of the Denarius cryptocurrency project lead and have backdoored the Windows client with the AZORult infostealer malware.

The compromised Denarius cryptocurrency client –which node operators run on their servers to support the Denarius blockchain– was spotted earlier today by a security researcher named Misterch0c, who alerted ZDNet.

ZDNet independently confirmed the researcher’s findings with the help of RiskIQ threat researcher Yonathan Klijnsma.

Carsen Klock, the top dev behind the Denarius cryptocurrency, said the incident occurred because he reused an older password to secure his GitHub account.

This allowed a hacker to silently access his GitHub account and upload a backdoored version of the Denarius Window client —version 3.3.6, released on January 22.

According to Misterch0c and Klijnsma, this file (VirusTotal link) was a modified Denarius client installer that installed a version of the AZORult malware.

“The .bat file is started, which it will start the other bins in sequence, with smaller one being AZORult,” Klijnsma said after analyzing the backdoored Denarius installer.

AZORult malware inside the Denarius client installer
Image: Yonathan Klijnsma

Once installed on a user’s computer, AZORult can steal a vast array of user data, such as browser passwords, browser cookies, passwords for FTP clients, chat histories, and most importantly, wallet database files from popular cryptocurrency clients.

Misterch0c told ZDNet that all the data collected from infected users would then be sent to a command and control (C&C) located at

After looking up the IP address in RiskIQ’s huge database of historical threat intelligence data, Klijnsma told ZDNet that the had hosted an AZORult control panel since July 2018.

AZORult control panel
Image: Yonathan Klijnsma

According to Misterch0c, this IP address was also linked to other malware samples, all who appeared to be backdoored cryptocurrency software, and all who communicated with this same domain.

Wow… I think this is bigger than I thought. Look at all these shitcoins wallets that were compromised… pic.twitter.com/gim2mkeXYU— 𝙈𝙞𝙨𝙩𝙚𝙧𝙘𝙝0𝙘 (@MisterCh0c) February 5, 2019

This appears to be a very well-organized hacking spree that targeted cryptocurrency aficionados by backdooring cyrptocurrency node clients and wallet apps.

One of the cryptocurrencies included in Misterch0c’s list is New York Coin (NYC), which admitted two weeks ago that a 51% attack carried out in October was most likely caused by malware that was slipped into its wallets before the attack.

The New York Coin 51% attack resulted in hackers taking control of more than half of all NYC blockchain nodes and using this superior position to issue and immediately confirm illicit transactions that siphoned NYC coins from the wallets of the Trade Satoshi cryptocurrency exchange. Trade Satoshi later delisted New York Coin from its index following this attack.

After getting contacted by ZDNet and Misterch0c, Klock, the main Denarius dev, removed the backdoored Windows client from the currency’s official GitHub attack before this article’s publication. At the time of writing, there have not been any 51% attacks against the Denarius blockchain.

Nonetheless, because AZORult is such an intrusive threat that can collect all sorts of data such as passwords, cookies, and wallet files, this doesn’t mean that the hacker group behind this hacking spree acted in the same way after every compromised cryptocurrency software client.

In many cases, they might have been satisfied with emptying out the wallets of users who installed any of the other backdoored clients, rather than take over an entire blockchain to defraud cryptocurrency exchanges.


Please enter your comment!
Please enter your name here

Must Read

LEGO ready to land in the NFTs? The news that breaks bricks

A New Player in the NFT World - It only took one tweet to get fans of NFT and Lego bricks on...

Bitcoin price: BTC fell back again, trading below $ 36,000 again

Bitcoin (BTC) closes the week with a new low of more than 10%, which pushed its price back below $ 36,000.

Bitcoin Core developers release version 0.21.0 of the software

The developers of Bitcoin Core have just announced the release of version 0.21.0 of the software. Result of...

Shopify employees allegedly behind Ledger’s database hack

In a blog post today, hardware wallet designer Ledger returned to his customer database breach in July 2020 where two employees of...

Bitcoin: New Correction Before Q1 Ends

Alex Mashinsky, CEO of Celsius, assured that the price suffered a decline yesterday in the crypto market. In general comes as...