With energy prices rising, switch to a cheaper plan
Compare Prices Now

A subtle new strain of cryptocurrency malware has been discovered

Posted: 16 January 2019 4:22 pm
shutterstock bitcoin cryptocurrency dice 450x250

Falling prices may have stunted the crypto mining malware arms race, but it's still running.

A torrent file on The Pirate Bay for the film The Girl in the Spider's Web has been found to contain a very subtle strain of malware. It was first discovered by security researcher 0xffff0800 and reported in detail at BleepingComputer.

Appropriately enough, The Girl in the Spider's Web is a hacking film.

This is probably no accident given the nature of the malware. It includes a few special elements for cryptocurrency users, and the creators might have (probably correctly) assumed that people who are into hacker flicks are more likely to be into cryptocurrency, and vice versa.

Slight changes

What the malware does in a nutshell is subtly change one's web browsing experience.

First, it manipulates Google search results to put certain things at the top of the page in different circumstances. For example, searching for "spyware" with this malware installed will put this site at the top of the page:

The site seems to be designed to encourage people to download something else that may or may not be malware. Beyond that, the malware will also put various offers for things such as ads for toolbars front and centre. This is quite outrageous because you normally have to pay to get your scam sites to the top of Google search results, while this malware is letting people get it for free.

The most insidious and directly profitable element might come from targeting cryptocurrency users though.

Among the other subtle changes to the browsing experience, this malware will also change cryptocurrency wallet addresses in some places and insert fake donation addresses elsewhere. This is what it injects for visitors to Wikipedia:

To be clear, both of those wallet addresses are presumably the folks behind this malware. Any crypto sent there will not be going to Wikipedia. It's not just Wikipedia that will start spruiking scam crypto addresses though. The malware is designed to replace addresses where it can on a range of sites.

Pickings seem to have been slim to date.

The Ethereum wallet address, which the malware designer apparently decided to refer to as "Ethernet address", seems to have pulled in a few donations and currently holds about $550 of crypto from 7 separate donations, while the bitcoin address has received a total of $70 from 8 donations.

It's simultaneously more and less effective than the clipboard hijacking malware, which sits on a victim's computer until they copy a cryptocurrency wallet address to their clipboard and then replaces the address with the attacker's.

It's less effective because it can't insert itself into as many cryptocurrency transactions and is less likely to stumble across huge paydays from a single transaction. But it could also be more effective because confirming the destination address on hardware wallets or simply double checking the destination of a transaction won't necessarily prevent the theft.

Plus, unlike some other strains, it's not entirely about cryptocurrency. Rather the crypto theft elements are almost tacked on as an afterthought (see "Ethernet address"). It's likely that many malware makers have lost interest in cryptocurrency as prices have fallen.

Cryptocurrency and malware have gone hand in hand for a long time and might have peaked when cryptojackers, which mine cryptocurrency with victims' computers, enjoyed some time in the sun as the world's most popular malware. But it looks like its popularity has since fallen.

Malware creators clearly aren't done with trying to tap cryptocurrency though.

Disclosure: At the time of writing, the author holds ETH.

Disclaimer: This information should not be interpreted as an endorsement of cryptocurrency or any specific provider, service or offering. It is not a recommendation to trade. Cryptocurrencies are speculative, complex and involve significant risks – they are highly volatile and sensitive to secondary activity. Performance is unpredictable and past performance is no guarantee of future performance. Consider your own circumstances, and obtain your own advice, before relying on this information. You should also verify the nature of any product or service (including its legal status and relevant regulatory requirements) and consult the relevant Regulators' websites before making any decision. Finder, or the author, may have holdings in the cryptocurrencies discussed.

Latest cryptocurrency news

Picture: Shutterstock

Get into cryptocurrency

Ask an Expert

You are about to post a question on finder.com.au:

  • Do not enter personal information (eg. surname, phone number, bank details) as your question will be made public
  • finder.com.au is a financial comparison and information service, not a bank or product provider
  • We cannot provide you with personal advice or recommendations
  • Your answer might already be waiting – check previous questions below to see if yours has already been asked

Finder only provides general advice and factual information, so consider your own circumstances, or seek advice before you decide to act on our content. By submitting a question, you're accepting our Terms of Use, Disclaimer & Privacy Policy and Privacy & Cookies Policy.
Go to site