Recently I have found some malicious ElectrumX nodes in the Electrum network that are still being connected by the Electrum software. In this post I share some information about these nodes and the ElectrumX patched code that they execute.
Malicious ElectrumX Servers
If we execute Electrum client, we can observe the list of servers that the client connects. For example, in this execution of the client in app.any.run we can see the list of connected servers. Among these servers, we can find some suspicious IPs:
As you can see, AnyRun already had set the IP 92.63.197.]245 (electrumx.]ml) as suspicious. Other IPs from this range 18.104.22.168/24 were related to malicious activity. For example 92.63.197.]48 was associated to GrandCrab here. And 92.63.197.]153 was related to a Phorphiex campaign here.
Additionally, I found more ElectrumX nodes at 92.63.192.]249 and 92.63.192.]250. Again, malicious activity is related to IPs of the same range, 92.63.192.]186 is a PredatorTheThief panel at the moment this post is being written. http://92.63.192.]139/pay contains phishing.
Malicious ElectrumX Servers Patched Source Code
We have been able to find the patched ElectrumX source code being executed by these servers. It is a tuned variant of the version 1.8.2 of ElectrumX server.
You can find the source code of the malicious server here (password: infected12345678).
Original ElectrumX source code vs Patched source code
You can find the original ElectrumX 1.8.2 at github.
We have compared the patched version vs original version. There are multiple differences, but, for example, one of the key differences is found at the source code /electrumx/server/session.py:
At this point, depending on the Electrum client version, the patched ElectrumX server is giving a different phishing message. These phishing messages look like these:
Patched Malicious ElectrumX Server PHP Control Panel
Malicious code's authors added a PHP control panel that would let them to configure the server easily. The source code for this panel is shared into the same zip file as the patched server code (pass: infected12345678). Among other things, the PHP panel would let the authors to update the phishing messages.
Taking a look at the patched source code (/electrumx/lib/coins.py) we can find a list of peers different than the original source:
Additionally we have been able to collect some peers that have been connected (probably most of the 92.63.*.* are running this patched ElectrumX malicious server):
Here is the full list in text format of the servers that we have been able to collect.