CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Compromised GitHub Account Spreads Malicious Syscoin Installers

Malware-laden Syscoin releases were up for download on an official GitHub repository after hackers managed to compromise an account and replace legitimate Windows installers.

Malware-laden Syscoin releases were up for download on an official GitHub repository after hackers managed to compromise an account and replace legitimate Windows installers.

The malicious releases were posted on the Syscoin GitHub release page on June 9 and remained there until June 13. Only the Windows Syscoin 3.0.4.1 installers (syscoincore-3.0.4-win32-setup.exe and syscoincore-3.0.4-win64-setup.exe) were affected.

In a security notice published on Syscoin’s official account on the soon-to-be Microsoft owned GitHub, the developers explain that the malicious code included in the modified installers is detected as Trojan:Win32/Feury.B!cl.

Mac and Linux releases were not modified by the hackers. Windows users who downloaded the ZIP files weren’t affected either (all users who did not download or execute the Syscoin 3.0.4.1 setup binaries are safe).

“This may affect Windows users who downloaded and executed the Syscoin 3.0.4.1 Windows setup binaries from Github between June 09th, 2018 10:14 PM UTC & June 13th, 2018 10:23 PM UTC,” the security notice reads.

“Please be aware this exploit method could potentially affect other blockchain projects on Github,” Blockchain Foundry notes in the Syscoin 3.0.5’s release announcement.

Windows users are advised to check the installation date for their Syscoin and make sure they did not download and execute releases containing the malicious code.

If the modified/installation date is between June 9, 2018, and June 13, 2018, users are advised to back up important data (including wallets) and make sure it does not contain infectious code, then scan their system with an anti-virus application.

Advertisement. Scroll to continue reading.

They should also change passwords entered in the timeframe (the malware is a keylogger), secure any funds stored in “unencrypted wallets or wallets that had been unlocked during the infection period.”

Windows users who downloaded the corrupted binaries are also advised to run a GenericKD Trojan removal guide before restarting the system, as the Trojan might log entered passwords.

The hack was discovered after the Blockchain Foundry team received reports that the syscoincore-3.0.4-win64-setup.exe binary was being flagged as a potential virus by Windows Defender SmartScreen, AVG, and Kaspersky.

“Investigation into the issue revealed the original Github Windows setup binaries for release 3.0.4.1 had been modified and replaced with a malicious version through a compromised Github account. Upon discovery, the 3.0.4.1 setup binaries were removed from Github and replaced with official, signed versions of the binaries,” Syscoin reveals.

The malicious binaries were immediately removed from the repository and replaced with the legitimate ones. To prevent similar incidents, Syscoin developers and Blockchain Foundry staff with Github access are now required to have 2-step authentication enabled, to routinely check signature hashes, and to “work with Github to ensure users will be able to detect if binaries have been altered after release.”

“Although the issue was detected quickly, we believe that the crypto-community is at risk for a specific type of attack which targets gatekeepers of source code for cryptocurrency projects. We highly recommend that all gatekeepers of software repositories for cryptocurrency projects sign binaries through an official build process like Gitian,” Syscoin notes.

Related: GitHub Security Alerts Lead to Fewer Vulnerable Code Libraries

Related: Cryptocurrency Theft Tops $1 Billion in Past Six Months

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.