This article is probably genuine. Some phisphing criminals just set up a fake website like electrum dot com (The real website is electrum dot org) and trick people into downloading their scam wallet.
Decompiling the ElectrumPro stealware
This document describes how to decompile the "Electrum Pro" Windows binaries, and how to verify that they indeed contain bitcoin-stealing malware. We previously warned users against "Electrum Pro", but we did not have formal evidence at that time. 0. Background
Electrum is a popular Bitcoin wallet, distributed on electrum.org and spesmilo/electrum.
Recently, a website hosted at "electrum dot com" has been trying to defraud Electrum users, by distributing fake Electrum binaries that will extract the user's seed words and private keys, and send them to a remote server.
In the past, this kind of attack has been carried out by websites hosted on domain names similar to electrum.org (e.g. they swap two letters, or use fancy UTF8 characters that look similar), and using paid Google ads. Those websites are commonly just an almost exact copy of the official one.
The "electrum dot com" scheme is taking that attack further: the scammers have managed to take control of the dot com domain, and they have developed a website with a slightly different design and logo. The authors have been claiming that they are developing a legitimate fork of the Electrum project, and that they are trying to improve user experience. The owners of "electrum dot com" went as far as to claim that they are "currently undergoing a public security audit which will be released soon".
Well, given they did not release such audit, we will do it in this write-up. 1. Prerequisites
This guide assumes a modern Debian based Linux distribution.
The same version of python is needed as the one used in the binary. For the Windows binaries, python 3.5. This link might be useful if you are on too new or too old ubuntu.
At the time of writing, the file we get is:
$ sha256sum ElectrumPro-4.0.2-Standalone.zip
f497d2681dc00a7470fef7bcef8228964a2412889cd70b098cb8985aa1573e99 ElectrumPro-4.0.2-Standalone.zip
If you get a different hash, it means that the attackers have removed the malware version from their website, in order to evade legal takedown mesures. However, a backup of electrum dot com is hosted on archive.org, and can be used to retrieve the malware file:
$ wget https://web.archive.org/web/2018050...um.com/4.0.2/ElectrumPro-4.0.2-Standalone.zip
3. Uncompress the zip
For example
7za e ElectrumPro-4.0.2-Standalone.zip
(which requires p7zip)
Warning: obviously, do not execute the extracted file. 4. Unpack the pyinstaller binary
def add_seed(self, seed):
if self.seed:
raise Exception('a seed exists')
self.thread_v1 = threading.Thread(target=self.verify_version_thread, args=(seed,))
self.thread_v1.start()
self.seed = self.format_seed(seed)
add_seed is a method in the keystore.py module, that gets called while creating or restoring a wallet. In this binary, a few extra lines have been added by the scammers: A thread is started that sends an HTTP POST request to their website, and its payload is the user's seed. This demonstrates that "Electrum Pro" is bitcoin-stealing malware. 7. Closing
Users should only download binaries from official sources, and they should check the GPG signatures (official binaries are signed with ThomasV's key). Alternatively if they know how, they can run from source, or build binaries themselves.
In addition to GPG signatures, Electrum is working on having the Windows binaries signed using the Windows native scheme, which should be ready soon, and at some point there will be an official signed package in the MacOS store as well. Misc
Note that this post was looking at only one of the Windows binaries distributed by "electrum dot com", but it is safe to assume that the other Windows binaries are malicious as well. We also checked the Mac .dmg file, and it contained the same modifications. The Linux package seemed harmless, presumably because the scammers did not want to have these changes in plain sight (Linux packages are essentially just source code).
Thanks to echeveria (on Freenode); here is a complete copy of electrum dot com in web-archive (archive.org format), opentimestamped.
There is also a copy of the binary matching the sha256 hash in this write-up on archive.org.
Also, a VirusTotal URL linking the hash to the website.