A subtle new strain of cryptocurrency malware has been discovered
Falling prices may have stunted the crypto mining malware arms race, but it's still running.
A torrent file on The Pirate Bay for the film The Girl in the Spider's Web has been found to contain a very subtle strain of malware. It was first discovered by security researcher 0xffff0800 and reported in detail at BleepingComputer.
Appropriately enough, The Girl in the Spider's Web is a hacking film.
This is probably no accident given the nature of the malware. It includes a few special elements for cryptocurrency users, and the creators might have (probably correctly) assumed that people who are into hacker flicks are more likely to be into cryptocurrency, and vice versa.
What the malware does in a nutshell is subtly change one's web browsing experience.
First, it manipulates Google search results to put certain things at the top of the page in different circumstances. For example, searching for "spyware" with this malware installed will put this site at the top of the page:
The site seems to be designed to encourage people to download something else that may or may not be malware. Beyond that, the malware will also put various offers for things such as ads for toolbars front and centre. This is quite outrageous because you normally have to pay to get your scam sites to the top of Google search results, while this malware is letting people get it for free.
The most insidious and directly profitable element might come from targeting cryptocurrency users though.
Among the other subtle changes to the browsing experience, this malware will also change cryptocurrency wallet addresses in some places and insert fake donation addresses elsewhere. This is what it injects for visitors to Wikipedia:
To be clear, both of those wallet addresses are presumably the folks behind this malware. Any crypto sent there will not be going to Wikipedia. It's not just Wikipedia that will start spruiking scam crypto addresses though. The malware is designed to replace addresses where it can on a range of sites.
Pickings seem to have been slim to date.
The Ethereum wallet address, which the malware designer apparently decided to refer to as "Ethernet address", seems to have pulled in a few donations and currently holds about $550 of crypto from 7 separate donations, while the bitcoin address has received a total of $70 from 8 donations.
It's simultaneously more and less effective than the clipboard hijacking malware, which sits on a victim's computer until they copy a cryptocurrency wallet address to their clipboard and then replaces the address with the attacker's.
It's less effective because it can't insert itself into as many cryptocurrency transactions and is less likely to stumble across huge paydays from a single transaction. But it could also be more effective because confirming the destination address on hardware wallets or simply double checking the destination of a transaction won't necessarily prevent the theft.
Plus, unlike some other strains, it's not entirely about cryptocurrency. Rather the crypto theft elements are almost tacked on as an afterthought (see "Ethernet address"). It's likely that many malware makers have lost interest in cryptocurrency as prices have fallen.
Cryptocurrency and malware have gone hand in hand for a long time and might have peaked when cryptojackers, which mine cryptocurrency with victims' computers, enjoyed some time in the sun as the world's most popular malware. But it looks like its popularity has since fallen.
Malware creators clearly aren't done with trying to tap cryptocurrency though.
Disclosure: At the time of writing, the author holds ETH.