Leaked Mt.Gox documents filled with wallet-stealing virus

Yesterday, hackers gained access to the personal blog of Mt.Gox CEO Mark Karpeles (currently offline), using the space to release over 700 MB of data that appeared to come from the now-shuttered exchange’s internal database. The contents looked damning, hinting that Mt.Gox either had (or at least thought they had) nearly a million BTC in their system. The compressed file also contained a few “specialized tools” to help users sort out the data.

While the data dump may prove to be legitimate, the tools aren’t: TibanneBackOffice.exe and .app are trojans specifically designed to target Bitcoin-Qt wallets and steal funds. Redditor ultra0 posted a proof after decompiling the executable file. He also explained his process for sleuthing out the source code:

It was created in LiveCode, a tool for easy GUI programming, which actually stores a copy of the code encrypted inside of the executable. I essentially just used a debugger and traced through till I found the code in memory and dumped the section, copying and pasting the interesting parts into this post. Actually, it’s a pretty good way to write wallet stealing malware, had they done this in a more “normal” way, I’d have caught it immediately instead of investing a few hours figuring it out. I almost gave up a few times.

Bulgarian-based hosting service VPSBG quickly deactivated the server used to host the scam, but there’s no telling how much damage was done.

CoinDesk goes onto detail about the contents of the leak, as well as some of the theories behind what the data itself shows.