A BleepingComputer report details new Windows malware that is able to swap out Bitcoin and Ethereum addresses. The malicious program is included in a torrent hosted on The Pirate Bay that poses as containing the movie The Girl in the Spider’s Web. As always, you should take caution when downloading files from questionable sources.
The malware was originally thought to alter Google search results and inject additional advertisements into the page. Bleeping Computer’s own researcher, Lawrence Abrams, discovered that the malware is actually much more insidious: “What appeared to be an ad-injector into the main Google search page turned out to be only the tip of the iceberg”, he said.
Abrams discovered that the malicious code is also capable of swapping out cryptocurrency wallet addresses for ones owned by the malware developer when the user copy-pastes a wallet address on an infected Windows PC. “Because the wallets are a large string of random characters, most users will likely not notice the difference between what they expected to copy and the pasted result”, Abrams explained. Furthermore, the malware also inserts a fake donation banner into Wikipedia pages. If users fall for it, the donated funds are actually transferred to the attacker’s BTC and ETH addresses.
Even though the cryptocurrency declined throughout 2018 in terms of prices, cryptocurrency-related malware continued to “flourish”. A recently released paper estimates that at least 4.3% of XMR in circulation was mined through malware.