Bitcoin is once again making the headlines, this time thanks to a piece of malware found on Download.com. The malware was stealing malware identified as through swapping user accounts with the accounts of the hackers behind the operation. This operation made him about $80,000 as of March 13.
Trojanized Apps Stealing Bitcoin:
ESET researchers discovered three “trojanized applications” that were hosted on download.cnet.com – MSIL/TrojanDropper.Agent.DQJ, Trojan.ClipBanker, MSIL/ClipBanker.DF, Win32/ClipBanker.DY. The website is among the most popular software hosting platforms. Apparently, a user known by the nichname Crawsh from /r/monero subreddit was one of the victims of this operation, but luckily for him, his story had a happy ending, the researchers wrote.
The user was first to notice that something was wrong when he tried to copy-paste his Monero address. The address suddenly started being refused and was deemed invalid. The user is definitely experienced because he quickly realized something was out of place. He started an investigation and shortly after he found out the problem was caused by a piece of malware.
This is what happened:
His [Crawsh’s] copy-pasted wallet address was intercepted in the clipboard by malware and replaced with attacker’s hardcoded bitcoin address. Luckily for Crawsh, the replaced address is only valid for bitcoin and pasting his Monero address rendered it invalid and it was detected by the target application before any of his Monero was sent anywhere – this of course wasn’t the case for many others victims, who got infected by the same malware and tried to copy-paste their bitcoin addresses instead, which caused the attackers to receive 8.8 BTC in total to this day.
The amount the attacker made as of 13th March 2018, has been said to be about 80 000 USD. Later on, Crawsh shared a post with details about his case on /r/monero subreddit. This is how ESET researchers got acquainted with his story and initiated their own investigation into the malware matter.
Obviously, the piece of malware had spent quite some time on download.com, since May, 2016. Moreover, it appears to have been downloaded more than 4,500 times. The malware is now removed even though it is not known exactly when the removal procedure happened.
The source of the malware turned out to be a trojanized Win32 Disk Imager application which was downloaded from download.com. The malware was able to intercept wallet addresses copy-pasted in the clipboard, and then could replace them with the hacker’s hardcoded Bitcoin wallet address.
If you have been infected by this or similar Bitcoin stealing malware, you should delete the downloaded installers, then remove any malicious folders and lastly, delete the ScdBcd registry value from the key. It is also highly advisable to keep your system protected at all times via anti-malware software.
SpyHunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: