Compromised GitHub Account Spreads Malicious Syscoin Installers
18.6.18 securityweek Virus
Malware-laden Syscoin releases were up for download on an official GitHub repository after hackers managed to compromise an account and replace legitimate Windows installers.
The malicious releases were posted on the Syscoin GitHub release page on June 9 and remained there until June 13. Only the Windows Syscoin 18.104.22.168 installers (syscoincore-3.0.4-win32-setup.exe and syscoincore-3.0.4-win64-setup.exe) were affected.
In a security notice published on Syscoin’s official account on the soon-to-be Microsoft owned GitHub, the developers explain that the malicious code included in the modified installers is detected as Trojan:Win32/Feury.B!cl.
Mac and Linux releases were not modified by the hackers. Windows users who downloaded the ZIP files weren’t affected either (all users who did not download or execute the Syscoin 22.214.171.124 setup binaries are safe).
“This may affect Windows users who downloaded and executed the Syscoin 126.96.36.199 Windows setup binaries from Github between June 09th, 18 10:14 PM UTC & June 13th, 18 10:23 PM UTC,” the security notice reads.
“Please be aware this exploit method could potentially affect other blockchain projects on Github,” Blockchain Foundry notes in the Syscoin 3.0.5’s release announcement.
Windows users are advised to check the installation date for their Syscoin and make sure they did not download and execute releases containing the malicious code.
If the modified/installation date is between June 9, 18, and June 13, 18, users are advised to back up important data (including wallets) and make sure it does not contain infectious code, then scan their system with an anti-virus application.
They should also change passwords entered in the timeframe (the malware is a keylogger), secure any funds stored in “unencrypted wallets or wallets that had been unlocked during the infection period.”
Windows users who downloaded the corrupted binaries are also advised to run a GenericKD Trojan removal guide before restarting the system, as the Trojan might log entered passwords.
The hack was discovered after the Blockchain Foundry team received reports that the syscoincore-3.0.4-win64-setup.exe binary was being flagged as a potential virus by Windows Defender SmartScreen, AVG, and Kaspersky.
“Investigation into the issue revealed the original Github Windows setup binaries for release 188.8.131.52 had been modified and replaced with a malicious version through a compromised Github account. Upon discovery, the 184.108.40.206 setup binaries were removed from Github and replaced with official, signed versions of the binaries,” Syscoin reveals.
The malicious binaries were immediately removed from the repository and replaced with the legitimate ones. To prevent similar incidents, Syscoin developers and Blockchain Foundry staff with Github access are now required to have 2-step authentication enabled, to routinely check signature hashes, and to “work with Github to ensure users will be able to detect if binaries have been altered after release.”
“Although the issue was detected quickly, we believe that the crypto-community is at risk for a specific type of attack which targets gatekeepers of source code for cryptocurrency projects. We highly recommend that all gatekeepers of software repositories for cryptocurrency projects sign binaries through an official build process like Gitian,” Syscoin notes.