Windows Torrent File Malware Can Swap Out Crypto Addresses, Researcher Warns

Published at: Jan. 15, 2019

New malware posing as a movie file from torrent website The Pirate Bay (TPB) can manipulate web pages and replace Bitcoin (BTC) and Ether (ETH) addresses, computing magazine Bleeping Computer reported Jan. 12.

The malware — originally thought to inject advertising on Google and in search results — in fact performs multiple actions, some of which were discovered by the publication’s own researcher Lawrence Abrams.

“What appeared to be an ad-injector into the main Google search page turned out to be only the tip of the iceberg,” the researchers warned.

The file containing malicious code poses as a movie file on TPB, specifically for the movie The Girl in the Spider's Web.

In reality, along with ads and manipulating search results to show certain links first, the malware is also able to swap out cryptocurrency wallet addresses for ones owned by the attacker. This occurs when users use the copy+paste function on Windows PCs, and has appeared previously in other malware.

“This tactic does not show any sign that could alert the user of the trick,” Bleeping Computer continued:

“Because the wallets are a large string of random characters, most users will likely not notice the difference between what they expected to copy and the pasted result.”

Other features are more easily noticeable, such as a fake banner that appears on Wikipedia inviting users to transfer BTC and ETH to specific addresses.

Cryptocurrency-related malware surged in 2018 despite a bear market meaning accumulated funds often lost value days or even hours after collection. As Cointelegraph reported, by September, detections had surged almost 500 percent compared with the previous year.

Last week, fresh research corroborated previous claims that between 4 and 5 percent of the altcoin Monero (XMR) in circulation had been mined using malware. That amount equates to around $56 million in profits, curators of the statistics said.

Tags
Related Posts
New Malware Campaign Spreads Trojans Through Clone Crypto Trading Website
Twitter user and malware researcher Fumik0_ has discovered a new website that spreads cryptocurrency malware, according to a report by Bleeping Computer on June 5. According to the report, the host for transmitting these viruses is a website that imitates the website for Cryptohopper, a website where users can program tools to perform automatic cryptocurrency trading. When the scam site is visited, it reportedly automatically downloads a setup.exe installer, which will infect the computer once it runs. The setup panel will also display the logo of Cryptohopper in another attempt to trick the user. Running the installer is said to …
Bitcoin / June 5, 2019
Hodler’s Digest, Feb. 11–17: Top Stories, Price Movements, Quotes and FUD of the Week
Top Stories This Week Fundstrat Global Advisors Expects 2019 to Bring More Institutional Investors to Crypto According to a report on the 2019 crypto outlook released by New York-based research company Fundstrat Global Advisors, incremental improvements in the crypto space can provide support for higher prices for cryptocurrencies. The report notes that, as the United States dollar is expected to weaken and more institutional investors enter the space, a visible market recovery can be expected. Fundstrat states that the current year’s crypto hangover can be attributed to the waning interest in the initial coin offering (ICO) sector as well as …
Bitcoin / Feb. 17, 2019
Fake MetaMask Crypto Malware Pulled From Google Play After Tipoff
Decentralized app (DApp) MetaMask is facing fresh problems from cryptocurrency scammers after malware impersonating the tool appeared on Google Play, cybersecurity company Eset reported on Feb. 8. The malware, which replaces computer clipboard information in an attempt to steal cryptocurrency, was removed by Google at the beginning of the month after a tipoff from Eset researchers. Known as a “Clipper,” the malware replaces copied cryptocurrency wallet addresses with an address belonging to an attacker in the hope that funds will be sent elsewhere without the user noticing. The discovery marked the first time such malware had made it past Google’s …
Ethereum / Feb. 11, 2019
Hodler’s Digest, Jan. 14–20: Top Stories, Price Movements, Quotes and FUD of the Week
Top Stories This Week Ethereum’s Constantinople Hard Fork Delayed Until February After Vulnerability Found Ethereum’s (ETH) Constantinople hard fork has been delayed until late February after smart contract audit firm ChainSecurity found a security vulnerability allowing a reentrancy attack. The security bug found would potentially let an attacker steal crypto from a smart contract on the network while requesting funds from it repeatedly while feeding it false data. In the aftermath of the discovery, Ethereum developers said that the activation would instead take place at block number 7,280.000, which is expected to be mined on Feb. 27, 2019, instead of …
Etf / Jan. 20, 2019
Legit vs. Illicit Crypto: North and South Korean Approaches Compared
South and North Korea may be separated by a border that's only 2.5 miles wide, but the two nations couldn't possibly be more different, at least when it comes to crypto. South Korea has emerged over the past few years as one of the world's major crypto-trading centers, with the BTC-KRW (Korean won) market being the fourth biggest among national fiat currencies. By contrast, most North Koreans have almost zero knowledge of cryptocurrencies, even though their government has been engaging in Bitcoin mining and the hacking of crypto exchanges in a bid to secure an alternative revenue stream. As the …
Adoption / Sept. 27, 2018