Analysis of Malicious ElectrumX Servers Source Code

Some months ago it was reported in reddit a post about malicious servers on the Electrum network performing phising attacks against the users of the Electrum wallet (a bitcoin client). It was confirmed by Electrum in this github issue. These fantastic posts in blog.coinbase.com and malwarebytes explained really well how the phising attack was performed.

Recently I have found some malicious ElectrumX nodes in the Electrum network that are still being connected by the Electrum software. In this post I share some information about these nodes and the ElectrumX patched code that they execute.


Malicious ElectrumX Servers

If we execute Electrum client, we can observe the list of servers that the client connects. For example, in this execution of the client in app.any.run we can see the list of connected servers. Among these servers, we can find some suspicious IPs:




As you can see, AnyRun already had set the IP 92.63.197.]245 (electrumx.]ml) as suspicious. Other IPs from this range 92.63.197.0/24 were related to malicious activity. For example 92.63.197.]48 was associated to GrandCrab here. And 92.63.197.]153 was related to a Phorphiex campaign here.

Additionally, I found more ElectrumX nodes at 92.63.192.]249 and 92.63.192.]250. Again, malicious activity is related to IPs of the same range, 92.63.192.]186 is a PredatorTheThief panel at the moment this post is being written. http://92.63.192.]139/pay contains phishing.


Malicious ElectrumX Servers Patched Source Code

We have been able to find the patched ElectrumX source code being executed by these servers. It is a tuned variant of the version 1.8.2 of ElectrumX server.

You can find the source code of the malicious server here (password: infected12345678).


Original ElectrumX source code  vs  Patched source code

You can find the original ElectrumX 1.8.2 at github.

We have compared the patched version vs original version. There are multiple differences, but, for example, one of the key differences is found at the source code /electrumx/server/session.py:





At this point, depending on the Electrum client version, the patched ElectrumX server is giving a different phising message. These phising messages look like these:
















Patched Malicious ElectrumX Server PHP Control Panel

Malicious code’s authors added a PHP control panel that would let them to configure the server easily. The source code for this panel is shared into the same zip file as the patched server code (pass: infected12345678). Among other things, the PHP panel would let the authors to update the phising messages.





Malicious Peers

Taking a look at the patched source code (/electrumx/lib/coins.py) we can find a list of peers different than the original source:




Additionally we have been able to collect some peers that have been connected (probably most of the 92.63.. are running this patched ElectrumX malicious server):




Here is the full list in text format of the servers that we have been able to collect.

Article Link: http://www.peppermalware.com/2019/12/analysis-of-malicious-electrumx-servers.html