Monero mining malware linked to Turkish telecom company

Turkish Internet provider implicated in recent Monero mining virus epidemic in Middle East, says Citizen Lab in its report
12 March 2018   1264

Recently there was a flood of Windows applications infected with Monero miner in Turkey and Syria. University of Toronto's Citizen Lab took an interest in this case and made a report. The results are surprising, to say the least.

The culprit was connected to to Türk Telekom – a formerly governmental Turkish telecommunications provider. According to the report, the ties to miner virus are connected to an unknown party with the access to provider's middleboxes, associated with government surveillance in Turkey and Syria. All this raises questions whether or not the virus itself is a product of some governmental effort at mining.

The infection scheme, called “AdHose”, is explained further in the report. The users are unknowingly redirected to infected copies of legitimate software while trying to download Windows applications such as Avast Antivirus, Ccleaner, 7-Zip or Opera, for example.

The spokesperson for the Türk Telekom reacted to the accusations and published a stetement, calling Citizen Lab allegations technically inaccurate and intentionally misleading. He also said that the company is currently investigating the issue, because they are “deeply commited to ethical technology development”.

The idea itself of government-controlled cryptocurrency mining malware is a little far-fetched in the expert's opinion, but the similar cases have already been reported by Open Observatory of Network Interference in 2016. At that time the Egyptian internet provider has been implicated in similar MITM-type attacks with malware and advertising present, minus the mining element.

Monero Team to Kill Coin Burning Bug

A scenario of a hypothetical attack described by one of the participants of Monero's subreddit helped to identify the bug
26 September 2018   475

Developers of the Monero cryptocurrency have eliminated a bug that could allow intruders to "burn" funds in organizations' wallets, while sacrificing only a small amount in the form of transaction commissions. This is reported in the official announcement of the project.

A scenario of a hypothetical attack described by one of the participants of Monero's subreddit allowed to identify the bug.

Practically speaking this bug is exploited as follows. An attacker first generates a random private transaction key. Thereafter, they modify the code to merely use this particular private transaction key, which ensures multiple transactions to the same public address (e.g. an exchange's hot wallet) are sent to the same stealth address. Subsequently, they send, say, a thousand transactions of 1 XMR to an exchange. Because the exchange's wallet does not warn for this particular abnormality (i.e. funds being received on the same stealth address), the exchange will, as usual, credit the attacker with 1000 XMR. The attacker then sells his XMR for BTC and lastly withdraws this BTC. The result of the hacker's action(s) is that the exchange is left with 999 unspendable / burnt outputs of 1 XMR.
 

dEBRUYNE at Get Monero

Monero developers note that this method does not allow the attack organizer to directly receive the XMR coins deposited in this way. However, an attacker can withdraw XMR through bitcoins, and the exchange will remain with 999 non-consumable or "burned" outputs from 1 XMR.

The created fix was privately distributed to exchanges and large merchants, in order not to attract unnecessary attention to the time of elimination of problems. According to the developers, the exploit was not used to perform real attacks.

In early August, because of the critical bug in the code of Monero, which allows to manipulate the amount of transactions, Livecoin suffered losses exceeding $ 1.8 million.