TheMerkle WaterMiner Monero Mining Malware

A botnet that has been targeting Electrum users just won’t quit. If anything, it seems to be picking up more hosts along the way and getting stronger. In the past month, the number of infected hosts has averaged 100,000. On April 24, the number went up to 152,000 according to a report by security firm Malwarebytes Labs. Since detection on April 4, the botnet has stolen over $4.6 million in users’ funds.

As we reported earlier this month, Electrum announced on Twitter that it had suffered a denial of service (DoS) attack. At the time, the botnet behind the attack had pooled together the power of 140,000 machines. It targeted Electrum clients who were using the old version of the wallet.

And now, according to Malwarebytes, there are two distribution campaigns that are fueling the botnet. The two, known as Smoke Loader and RIG exploit kit, are dropping the ElectrumDoSMiner malware. The team also identified a loader it named Trojan.BeamWinHTTP that’s involved in downloading the malware.

(Image courtesy of Malwarebytes Labs)

As shown in the graph, the researchers have only identified a handful of methods that the hackers have used to distribute the malware onto Electrum users’ machines. However, the number of malicious binaries downloading the Trojan could be in their hundreds.

Through analysis of the IP addresses, the team discovered that the malware was predominant in the Asia Pacific region. Away from this region, Brazil and Peru also have a high concentration. Egypt also has a significant number of malware hosts.

The Rise of DoS Attacks 

The team further explained:

The number of victims that are part of this botnet is constantly changing. We believe as some machines get cleaned up, new ones are getting infected and joining the others to perform DoS attacks. Malwarebytes detects and removes ElectrumDoSMiner infections on more than 2,000 endpoints daily.

And indeed, the Malwarebytes team has been actively fighting the malware. The graph below shows their progress on three different days.

(Image courtesy of Malwarebytes Labs)


Developers believe the attack was retribution by the hackers after Electrum developers thwarted their initial plans. Speaking earlier in the month, Electrum lead developer explained, “We are not sure what motivates the attacker. It might be some kind of retaliation after we took steps last month in order to prevent phishing attacks. This counter-attack has been effective against phishing because it does not require a lot of legit servers.”

The Malwarebytes believes that though the attack has been massive, media outlets have underreported on the issue.

“Crooks wasted no time in exploiting a vulnerability in Electrum wallets to phish unsuspecting users. What followed next with retribution attacks on Electrum servers was unexpected but logical, considering what is at stake. While these DDoS attacks have not been publicized much by mainstream media, they have undoubtedly caused millions of dollars in losses over the span of just a few months.”

DDoS attacks have become the biggest threat to cybersecurity, a survey earlier in the year showed. The survey by the Neustar International Security Council (NISC) found that 75 percent of cybersecurity experts believe DDoS attacks pose the largest threat. Half the companies sampled had suffered a DDoS attack of some sort in 2018.

Image(s): Shutterstock.com


I am a very awesome human. I love writing, and I am awesome at it. I am a blockchain and cryptocurrency enthusiast and championing the blockchain through well-crafted articles is what I do