Bitdefender warns: a bot was detected logging into the Ethereum OS system and stealing a cryptocurrency

Recently, there have been frequent incidents aimed at using unconscious users to generate cryptocurrencies. Internauts' computers are infected and then used to dig up more coins, but this time a new way of "taking over" someone else's funds accumulated on virtual wallets has appeared. Analysts from Bitdefender have detected a bot that changes the configuration of the Ethereum OS system based on 64-bit Linux, which is used to steal funds from mining operations in the Ethereum cryptographic.

People familiar with blockchain technology met with Ethereum OS software , designed to extract Ethereum, Zcash, Monero and other cryptocurrencies. According to its creators, 38,000 operate worldwide. mining platforms based on the Ethereum OS system.


Screenshot of the Ethereum OS system.

Like other operating systems, Ethereum OS comes pre-loaded with the necessary tools and, of course, the default username and password. After the start of digging, a new wallet must be created, or the existing one must be imported, and then - obviously - the username and password should be changed. Unfortunately, many users forget about the latter. The bot scans the entire range of IPv4 addresses and looks for open SSH connections. If he finds one, he tries to log in using the default name (live) and password (live).

If login succeeds, the malware tries to change the existing portflame configuration to transfer the generated cryptocurrencies to the address of Ethereum's attacker's portfolio. This portfolio, in this case ( 0xb4ada014279d9049707e9A51F022313290Ca1276) , shows at the moment 11 transactions in the last days with a total value of $ 665.


List of recent transactions.

Users using the Ethereum OS system should immediately change the default login details and transfer all their savings to another Ethereum cryptocurrency portfolio.



Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.