Bitcoin stealing malware that swaps user accounts with that of the attacker was found to be hosted on Download.com servers for nearly a year.
ESET researchers found three trojanized applications hosted on download.cnet.com, the163th most visited site in the world according to Alexa rankings, and estimated that as of March 13, the attacker managed to steal the equivalent of $80,000 USD, according to a recent blog post.
The malware had been hosted on download.com since May 2, 2016 and that it had been downloaded from CNET, the original creator of the domain, more than 4,500 times in total, the post said. The malware has since been removed, although researchers don't know the exact date of the removal they speculate it may have been around March 2017.
Researchers were alerted to the malware after a Reddit user posted how they tried to copy and paste their Monero address as usual and suddenly started receiving notifications that the address was refused for being invalid as the address was a Bitcoin address not a Monero address. The mismatched addressed prevented this user from being scammed but the attack wouldn't have been as easy to catch had the user tried to pasted their Bitcoin address instead.
The source of the malware was a trojanized Win32 Disk Imager application downloaded from download.com. Upon inspection, researchers learned the malware intercepts wallet addresses that are copy and pasted in the clipboard and replaces them with the attackers own hardcoded bitcoin wallet address.
“By searching the attacker's bitcoin address on Google, we were able to find some victims. For instance, someone published a blogpost about a website hack (not related to this malware stealer),” researchers said in the post. “However, in the text of the post, the original bitcoin address was replaced by the malware author's address, as shown in the second picture. Thus, the blogpost author might be infected with the bitcoin stealer.”
Those who are affected can clean up their infected system by deleting the downloaded installers, removing the malicious folders and deleting the ScdBcd registry value from the key.