Hot Wallets During “Crypto Winter”

TL;DR

Hot crypto wallets are vulnerable and are not adequately defended by legacy AV products! Install UpSight Security to protect what matters most to you.

Crypto Winter

Crypto Winter or not, at the time of this writing, BTC's market cap is $310B and 1BTC is trading for $16,200. Not too shabby! Due to the recent FTX crypto exchange implosion, more and more crypto-users are running away from custodian wallets, thus increasing the amount of crypto riches that are held in self-managed wallets. Self-managed/non-custodian wallets generally fall in two categories: 1) hot - connected to the internet and ready for trading and 2) cold - these are more secure hardware devices that keep your private keys offline (or so I have been told :)).

Considering that the WHY of UpSight Security is to protect what matters most to Windows users, I decided to take a look into what Google told me is the most popular desktop crypto hot wallet - Exodus.

Disclaimer: this blog is not an attempt to discredit/attack Exodus or scare the reader away from this particular wallet. I think that the Exodus desktop wallet is a fine product and it could certainly benefit from additional protection provided by UpSight Security.

Hunting for Secrets

After installing the Exodus wallet, I wanted to find out: 1. What are the resources that UpSight needs to protect?

2. Is Exodus leaking any of the user sensitive information - namely the password used to unlock the UI and the private keys that are used to sign transactions.

Hunting for Secrets Stored in Files

The answer to 1) became obvious after taking procmon trace while Exodus was starting and the UI was being unlocked. I simply searched for files containing wallet in their path and voila:

It seemed that the jewels were stored in %AppData%\Exodus\exodus.wallet. The content of the whole directory on my device was/is:

In order to cross-reference my findings, I decided to go to our good ol’ friend Google and search for some prominent crypto malware examples; I found this excellent article from Microsoft Security - https://www.microsoft.com/en-us/security/blog/2022/05/17/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks/. The post above confirmed that stealers like Redline/Mars/Racoon are indeed after crypto hot wallets and that the former try to exfiltrate the actual wallet files (like our friend seed.seco above), but what caught my attention was the mention of subsequent offline brute-force attack in order to crack the key that encrypts the wallet file. I suppose if the attackers get their hands on the public crypto address, then they can figure out whether the contents of the wallet will justify the electricity bill.

Next on the agenda was to look closer into the behavior of RedLine. Why RedLine? 1) it is one of the more widely spread cred-theft stealers and 2) an esteemed ex-colleague of mine told me that it was actually coded in .Net and can easily be reverse engineered. Hmm…

If you want to go through the exercise yourself:

• Get and build dnSpy - https://github.com/dnSpy/dnSpy.

• Get yourself a copy of RedLine from malware bazaar - https://bazaar.abuse.ch/browse/tag/Redline/. Tread lightly - this is an actual live/hot redline sample.

• Load the sample into dnSpy and export the code as a Visual Studio project.

• Open the project in Visual Studio.

As it turned out RedLine is after all the *.json files within the %AppData%\Exodus directory and all the files from the wallet directory:

I perused through the source and confirmed that RedLine indeed exfiltrates only the Exodus files and makes no attempt whatsoever to decrypt them while executing on the machine in the user context. Lazy! ;)

So far I have figured out what files needed protection from theft. Does UpSight need to protect the actual Exodus processes though? Read on!

Hunting for Secrets in Memory

I started coding a simple tool in my favorite scripting language - C++ ;), which enumerates the Exodus’ processes and dumps their memory to files.

Armed with knowledge from the ‘In host pursuit of cryware…’ article I opened a terminal and started grepping the exodus_*.dmp files searching for the private key patterns. The search:

$ grep -obUaP '[5KL][1-9A-HJ-NP-Za-km-z]{50,51}' *.dmp

returned too many matches. Bounding the search with anchors ^/$ resulted in very few matches that did not look like valid keys, so I abandoned the idea.

I decided to simplify and directly look for the private signing keys, mostly to make sure that the regex I had crafted was correct. Exodus provides the user with ability to view their private keys and to the product’s credit there is an explicit warning:

“Are you sure you want to show your Bitcoin private keys?

Be sure you are in a private location and no one can see your screen.

Anyone viewing your private keys can steal your funds.”

After acknowledging that indeed I want to see my keys, I had to enter the password one more time and was presented with a separate modal window, which displayed the 4-tuple

{Public address, Path, Balance, Private Key}

I made a note of one of the private keys, closed the window, took another memory dump of Exodus and grepped against a preamble of an actual key. This time around I found a match:

Hmm…. OK, let’s restart the app, take a memory dump without revealing the keys and search again. The keys were not to be found in the memory dump.

Recap: the private crypto keys were present in Exodus processes’ memory only after the user had viewed them on the screen!

This was encouraging, since I would imagine that most of the users do not look at their keys every time they log-on to the Exodus wallet.

Still though - it gave me enough reasons to create a rule to protect the Exodus’ processes from having their memory dumped.

I was almost ready to give up with this light-weight dissection of the Exodus Desktop Wallet, when it occurred to me that I never searched for the actual password that unlocks the UI and is subsequently used to decrypt the seed file, which in turn is used to generate the private keys.

I proceeded with performing another grep, looking for my password in clear text:

What? I could not quite believe my eyes, so I opened the Exodus_19004.dmp file in a text editor and searched for the password string:

{"method":"Target.targetInfoChanged","params":{"targetInfo":{"targetId":"7F89E8D3E58845149940312371DFC21F","type":"page","title":"","url":"file:///C:/Users/svetlio/AppData/Local/exodus/app-22.11.21/resources/app.asar/src/static/wallet.html#%7B%22walletDir%22%3A%22C%3A%5C%5CUsers%5C%5Csvetlio%5C%5CAppData%5C%5CRoaming%5C%5CExodus%5C%5Cexodus.wallet%22%2C%22passphrase%22%3A%22MY_PASSWORD_IS_HERE%22%7D","attached":true,"canAccessOpener":false,"browserContextId":"019D262213FE6D518DB1E62B63BA5C9B"}}}

Wow! Not only was my password plastered there in clear text, but it was also placed in a nice home, prefixed by the path to the wallet files and nestled inside quotation marks - %22%. The implications of this are HUGE:

I can actually write a regex that can go through the memory of an executing Exodus process and exfiltrate the user’s password in clear text. This will work on any machine and does not require elevation of privileges!

So what can I do with that said password? Well, if I can get my hands on the wallet files, which as we mentioned earlier is something the cred theft stealers are already doing, I can install Exodus on a PC of my choosing, replace the files in the exodus.wallet directory with the stolen ones, start the UI, unlock it with the stolen password and transfer whatever funds there are to a BTC address of my own choosing. As a matter of fact I performed these exact steps and it worked like a charm!

Let that sink in for a moment:

If an Exodus process is running and the UI is unlocked, then any process executing with regular user privileges can steal the user password!

If the above happens, then the user will be “relieved” of their crypto funds. FOREVER! The crypto transactions are irreversible and this is by design!

Creating a Pen-Test Tool

It was time to create a tool that automates the process for obtaining the passwords from Exodus. I authored a simple program that does the following:

• Enumerate the Exodus process

• For each found process, perform a yara process scan where the rule is:

rule exodus_password : EXODUS_PASSWORD
{
   meta: AttributeId = "FileYaraTags"
    strings: $pass_pattern = /Exodus%5C%5Cexodus.wallet%22%2C%22passphrase%22%3A%22.{3,256}%22/
    condition:
        $pass_pattern
}

• Any match will contain a string which will be a strong contender for the password.

Here is the tool in action:

One thing became abundantly clear - UpSight will have to protect both the wallet files and the Exodus processes!

What About Windows Defender?

What about it?

Windows Defender was chilling while I was attacking Exodus; both “Real-time” and “Cloud-delivered” protections were ON. Then, a reasonable question to ask is: “well … in the article above Microsoft claims that it goes to great lengths to defend users from cryware, are they lying?”. I do not think so, they are really trying, it is just that Defender (as well as the rest of the legacy AV vendors) predominantly relies on a 30+ year old scanning technology. Defender was all up in my business when I downloaded the RedLine sample from the malware bazaar website, because … it’s dats have already been updated with the SHA256 in question.

Essentially if no security vendor has deemed a PE as malicious, then most of the time the binary will pass the malware checks with flying colors. The tool that I developed is one network connection away from being even more nefarious than RedLine (remember it gets the password) and here is what VirusTotal tells me about it:

I am pretty sure that even if I reimplement the entirety of RedLine, including some sort of CnC protocol, the legacy AV scanners will still be clueless and not recognize it as a malware.

This further drives home UpSight’s main premise - the consumer AV industry is broken! Legacy AV does not protect against attacks on the most valuable resources Windows users

have on their PCs, namely user accounts, wallets, credit cards, etc.

What is UpSight Security Protecting

We have developed rules that will protect against:

• Exodus wallet files theft.

• Exodus process memory dumping.

• Most common attempts to inject executable code into Exodus processes.

The above defenses will work against any malware written in any programming language, regardless of whether that said malware has been seen in the wild or not!

Here is a snapshot of UpSight in action:

UpSight Security will not protect against:

• Keyloggers - I for one would love it if Microsoft just obsoletes SetWindowsHookEx. We have some plans to address this though!

• Clipping and switching, aka clipboard attacks.

• Visiting phishing sites.

• Scams and social engineering attacks.

The Response from Exodus

According to CVSS (assuming that we had plugged in the data correctly), the severity of this issue is 7.1/10 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/RL:U/RC:R/MAV:L/MAC:L/MPR:L/MUI:N/MS:U/MC:H/MI:H/MA:N.

We did contact Exodus (the company) with our findings, since the ethical thing to do was to give them some time to address the issue, before we go public. The Exodus security team deemed that this is a non-issue; here is their response verbatim:

“

After discussing the matter with our Security engineers, we have concluded that we do not consider this to be a security issue.

To be fair, anyone with remote or physical access could steal a password for any service. It is as simple as installing a keylogger on the device. As your report suggests, you were able to obtain a password by having physical access to a device.

Having physical or remote access to a device is not something Exodus (or any other wallet, exchange or any app) can prevent.

"

We at UpSight Security of course humbly disagree that there is nothing Exodus can do and they are most certainly using a very liberal definition for "physical access", but this is besides the point. The main takeaway here is that:

the user is left floating in the vacuum between the boundaries of the Exodus wallet security model and the capabilities of Windows Defender.

Demo Time

The short clip below shows how an Exodus wallet can be drained and what UpSight can do for Exodus' users.

Call to Action

In no particular order:

• Use hardware wallets if you have significant holdings in crypto.

• Install UpSight Security. Seriously, it will significantly increase the security posture of your hot wallet and prevent a whole barrage of cred-theft attacks that go past your AV.

• Lock/close your hot wallet unless you are actively trading.

• Enable MFA

• Carefully inspect crypto addresses after a copy/paste operation.

• Pay attention to the wallet websites you are visiting, some of them may be phishing URLs.

• Never store crypto keys and the seed words in plain text.

• Never store credentials to crypto trading sites in the web browser cache. Same goes for any financial institution website, banking/trading/you name it.

• Right click before double clicking on a file downloaded from the internet and inspect its details:

• file extension - does it match your expectations.

• Details tab - do the File Description/Product Name/Product Version/etc match what you think you downloaded.

• Digital Signatures tab - is the file signed, if so is the signature OK, is the signing cert issued to the company you downloaded the file from.

• Keep Windows and your AV software updated - I did poke some fun at Microsoft and Windows Defender, but legacy AV catches a good number of known threats.

Look at that - by the time I was done with this blog, the BTC price went up to $17,100 ;).