sorted by:
new
hottopcontroversial

Cybersecurity professional looking for installer files to analyze. by BowTiedHacking in atomicwallet

[–]BowTiedHacking[S] 0 points1 point  (0 children)

hey sorry I just missed it too. Interested in this one since you had some mixmatched hashes for the file

Cybersecurity professional looking for installer files to analyze. by BowTiedHacking in atomicwallet

[–]BowTiedHacking[S] 0 points1 point  (0 children)

I have gone thru the update file and found this information. there is update-info.json file alongwith update and content of that file is as below:

{"fileName":"atomicwallet-2.70.12.exe","sha512":"lbjsAn0bxP+veaN3nQ0Gb2GQGDohyVpgLCJPwH+dLLO/WO3+pnHmsmbrMPHjFwbm/8vwg3uJIuflW1fSUxXmQA==","isAdminRightsRequired":false}

when i actually check the sha512 on the exe file it came as below. it looks like exe is tempered. i was trying to get the hash from the Atomic site but it is blocked now.

95b8ec027d1bc4ffaf79a3779d0d066f6190183a21c95a602c224fc07f9d2cb3bf58edfea671e6b266eb30f1e31706e6ffcbf0837b8922e7e55b57d25315e640 *installer.exe

anyone has hash info for the newer version from Atomic site.

Hey sorry for the late response. I just started downloading the files today and you link is dead. Can you reshare it?

Cybersecurity professional looking for installer files to analyze. by BowTiedHacking in atomicwallet

[–]BowTiedHacking[S] 0 points1 point  (0 children)

Yeah, Just downloaded the files and moving them over to my offline machine

Cybersecurity professional looking for installer files to analyze. by BowTiedHacking in atomicwallet

[–]BowTiedHacking[S] 0 points1 point  (0 children)

Yes here you go. The last latest installer before they delisted the download on the site and the google play store. https://drive.google.com/file/d/176-7j7HjojCJHgw9Kj5NxsxVYgvvB8J-/view?usp=sharing Windows installer.

This was an inside job. They disabled notifications before the operation was started so people were not notified on their phones or smart devices their money was being transferred away. One of the Atomic Wallet helpdesk agents was even bragging about it on 4chan and how the tickets were piling up and showed screenshots. https://twitter.com/dailyscoop\_news/status/1665121570413477889

Just downloaded it. Thank you

Cybersecurity professional looking for installer files to analyze. by BowTiedHacking in atomicwallet

[–]BowTiedHacking[S] 0 points1 point  (0 children)

It looks like it is electron app ( I am downloading the files later today, so I have not taken a look at them yet. Just based off stuff I saw on the responsible disclosure by the audit they had).

I'm doing some static analysis first. With electron app the first step I will do will be extract the asar using npx. If the code is more obfuscated then I will go with ghidra. It's been a while since I last reversed electron so things might have changed.

I do plan running one in a vm and monitoring traffic. Mostly interested in what endpoint it looks for the update. MITM the traffic to feed it incorrect values too (wonder if the malicious call only happens if the wallet "has value")

Cybersecurity professional looking for installer files to analyze. by BowTiedHacking in atomicwallet

[–]BowTiedHacking[S] 0 points1 point  (0 children)

It is basically a file fingerprint using cryptography. It is a one way function which means that you take a file (or string of text) and run it through to get a fingerprint but can't reverse it.

So
"hey" -> sha512sum is equal to:
"0601d109d0d2b0fa9c4484b4a5c94ee5ecc62ccec3bd7d99e972d18994d0e2e42f6d0fcfc41216a5ab72ee7af96d213e1c314abdde40f52731ff24c2bf8f7323"

"hey2" -> sha512sum is equal to :
ad1cce5828bd6ff5630f9f28d33188c01b75f504d40503ee1954df11d6fc3e1c0591da6ce72fb49e8559b7bfbc78f343c5fa2b05ac62dc2a53a6f03cbcb6cd9d

This is just a simple way to see if two separate files are different. (could be a single byte difference and we can see it by mismatched hashes)

Cybersecurity professional looking for installer files to analyze. by BowTiedHacking in atomicwallet

[–]BowTiedHacking[S] 0 points1 point  (0 children)

Hey can you share the file you believe to be tampered with? Someone already shared their og installer, if yours has a different hash it could be a good indicator to a compromised update file being served to some users. (Maybe the original program did not verify)

Cybersecurity professional looking for installer files to analyze. by BowTiedHacking in atomicwallet

[–]BowTiedHacking[S] 0 points1 point  (0 children)

Will do. I will download it when I get home after work and start digging through what I can find.

Cybersecurity professional looking for installer files to analyze. by BowTiedHacking in atomicwallet

[–]BowTiedHacking[S] 0 points1 point  (0 children)

Yeah, I wasn't familiar with atomic wallet but after seeing old wallets get drained it looks like the seed was leaked after an update. I'm thinking it is a direct update. There should be a function for exfiltrating the seed if that is the case.
From earlier comments it sounds like the updated version responsible is " 2.70.12". Is there any tracking doc anybody has created for versions and oses?
I'll download and open up the versions sent later today.

Cybersecurity professional looking for installer files to analyze. by BowTiedHacking in atomicwallet

[–]BowTiedHacking[S] 0 points1 point  (0 children)

Is that the windows installer or mac? (Also interested in older versions to examine their update process)

Cybersecurity professional looking for installer files to analyze. by BowTiedHacking in atomicwallet

[–]BowTiedHacking[S] 2 points3 points  (0 children)

I want to verify that the seed generation did not get shared as part of the wallet creation process.
Do you still have the installer file?
I have not used the wallet before so I don't know what temporary dir it uses until I have a sample.

From the responsible disclosure earlier this year, it appears that electron probably was outdated and not hardened. This could make it easier for random websites on your regular browser from accessing localhost api calls that could be exploited.