On June 14th, 2018 Syscoin reported on their Twitter that all users who have downloaded Windows Syscoin 184.108.40.206 installer should immediately read the Security. The message revealed that Syscoin’s Github account has been broken into and the Windows client was replaced with a malicious Arkei Stealer which logs wallet private keys and passwords. But the problem was quickly fixed.
In the last few years when cryptocurrency exploded, it opened the new niche for cybercriminals, who started targeting the virtual currency software stealing virtual wallets and crypto-mining coins on the compromised machines. You probably have heard of some of those crypto-infections like Xmrig virus, CryptoShuffler (secretly changes the original recipient’s wallet address to the hacker’s), Bitcoin Miner, CoinHive and etc. Read more about crypto-mining on forbes.com.
This time it was Syscoin’s turn to face the hackers.
How was the problem noticed
Syscoin is a global network, decentralized database, blockchain and a ‘revolutionary cryptocurrency’ that offers near free transactions and fast speeds, furthermore ensure security, as the company claims. However on June 13th, 2018 the Blockchain team saw the reports on Windows Defender SmartScreen showing the syscoincore-3.0.4-win32-setup.exe and syscoincore-3.0.4-win64-setup.exe by “Unknown Publisher”.
The further investigation and virus analysis revealed that one of the Syscoin employee’s GitHub account was hacked and the unofficial, unsigned Windows Syscoin 220.127.116.11 version was released on the 9th of June, 2018, which contained a trojan spotted as Trojan:Win32/Feury.B!cl (Arkei stealer).The virustotal.com.
After the infection’s simulation cyber researchers figured that this malware affected only two files of an open source Windows client, replacing them with a virus which demonstrated keylogging/ransomware-like behavior stealing passwords and wallet keys.
What should compromised users do
Regardless of the problem getting noticed and solved fairly quickly if you have downloaded the Syscoin for the Windows between June 9th, 2018 and June 13th, 2018, you must take some precautions:
Backup any important data including wallets onto another storage medium outside of the affected computer. Treat this data cautiously as it may contain infectious code.
Run an up-to-date virus scanner on your system to remove the threat.
Passwords entered since the time of the infection should be changed from a separate device after ensuring the threat has been removed.
Funds in unencrypted wallets or wallets that had been unlocked during the infection period, should be moved to a newly generated wallet on a secure computer.
The note posted on GitHub additionally suggests using the trojan removal software for the best protection. Mac and Linux users have not been infected so they don’t have to worry, however, if you use Windows and want to really identify the installation date you can check it in the Settings->Apps or C:\Users[USERNAME]\AppData\Roaming\SyscoinCore and press the right button to see the modified date on syscoin-qt.exe file.
In case you downloaded the installation file, but haven’t launched it then delete it instantly without opening and run a full computer scan by any antivirus or anti-malware tools. We have the full list of them. This is just another reason to invest in a good cybersecurity tool, especially if you are engaged with cryptocurrency.
The future Syscoin promised to prevent the similar situations by making the GitHub-using employees set a two-factor authentication (2FA) and perform routine checks on files. Meanwhile, educating yourself about the malware (there is plenty on 2-viruses.com website) and Ways to tell if your computer is mining, can save you from a lot of trouble and headaches, if the companies will fail to keep their promise.