An ongoing attack against Electrum Bitcoin wallets has just grown bigger and stronger with attackers now targeting the whole infrastructure of the exchange with a botnet of over 152,000 infected users, raising the amount of stolen users’ funds to USD 4.6 million.
Electrum has been facing cyber attacks since December last year when a team of cybercriminals exploited a weakness in the Electrum infrastructure to trick wallet users into downloading the malicious versions of the software.
In brief, the attackers added some malicious servers to the Electrum peer network which were designed to purposely display an error to legitimate Electrum wallet apps, urging them to download a malicious wallet software update from an unofficial GitHub repository.
The phishing attack eventually allowed attackers to steal wallet funds (almost 250 Bitcoins that equals to about $937,000 at the time) and take full control over the infected systems.
To counter this, the developers behind Electrum exploited the same technique as the attackers in order to encourage users to download the latest patched version of the wallet app.
“Electrum clients older than 3.3 can no longer connect to public electrum servers. We started exploiting a DOS vulnerability in those clients, in order to force their users to upgrade and to prevent exposure to phishing messages. Linux Tail users should download our Appimage,” Electrum developers tweeted in March.
In response to this, attackers then started DDoSing legitimate Electrum servers in an attempt to trick older clients into connecting to malicious nodes, while legitimate nodes becoming overwhelmed.
According to a post published by Malwarebytes Labs’ research team, the number of infected machines that downloaded the malicious client software and are unwillingly participating in the DDoS attacks has reached 152,000, which was less than 100,000 last week.
The attackers behind these campaigns are basically distributing a botnet malware, dubbed “ElectrumDoSMiner,” by primarily leveraging RIG exploit kit, Smoke Loader and a new previously undocumented BeamWinHTTP loader.
“There are hundreds of malicious binaries that retrieve the ElectrumDoSMiner,” the researchers note. “We surmise there are probably many more infection vectors beyond the three we’ve uncovered so far.”
According to the researchers, the largest concentration of the Electrum DDoS bots is reportedly located in Asia Pacific region (APAC), Brazil and Peru, with the botnet continually growing.
“The number of victims that are part of this botnet is constantly changing. We believe as some machines get cleaned up, new ones are getting infected and joining the others to perform DoS attacks. Malwarebytes detects and removes ElectrumDoSMiner infections on more than 2,000 endpoints daily,” the researchers say.
Since the updated versions of Electrum are not vulnerable to the phishing attacks, users are advised to update their wallet apps to the latest version (3.3.4) by downloading it from the official electrum.org site.
Meanwhile, Electrum wallet app users are advised to disable the auto-connect feature and select their server manually in order to prevent against DDoS attacks.