![]() The statistics of popularity of the two are as follows (information directly from the site). MinGW is basically a port of GCC (GNU Compiler Collection) for Microsoft Windows. It contains several malicious payloads including a bitcoin stealer and a virus. The other one is MinGW-w64, which was available for download at the beginning of our investigation. ![]() Code Blocks is a popular open-source IDE (Integrated Development Environment) used by many C/C++ developers. The first one is CodeBlocks, which has already been blocked by CNET and contains the same MSIL/ClipBanker.DF payload. ![]() Later during the investigation, we found out that the Win32 Disk Imager is not the only trojanized application hosted on and we know about at least 2 other cases from the same authors. ![]() The program was downloaded from CNET 311 times just in the last week and over 4500 times in total. We found out that the source of Crawsh’s infection was a trojanized Win32 Disk Imager application downloaded from, where it has been hosted since May 2 nd 2016.ĮSET detects the trojanized application as a variant of MSIL/. Thus, the blogpost author might be infected with the bitcoin stealer. However, in the text of the post, the original bitcoin address was replaced by the malware author’s address, as shown in the second picture. For instance, someone published a blogpost about a website hack (not related to this malware stealer). Crawsh eventually wrote a post with details about his case on /r/monero subreddit, where it was noticed by ESET's malware researchers, who then began investigation in order to help shed some light on the case and quickly found some very interesting information.īy searching for the attacker’s bitcoin address on Google, we were able to find some victims. As of 13 th March 2018, it has an estimated value of about 80 000 USD. Luckily for Crawsh, the replaced address is only valid for bitcoin and pasting his Monero address rendered it invalid and it was detected by the target application before any of his Monero was sent anywhere - this of course wasn’t the case for many others victims, who got infected by the same malware and tried to copy-paste their bitcoin addresses instead, which caused the attackers to receive 8.8 BTC in total to this day. As an aware and experienced user, he quickly suspected that malware was involved - and he was right: his investigation of what could be the cause eventually found that malware was indeed the cause. His copy-pasted wallet address was intercepted in the clipboard by malware and replaced with attacker’s hardcoded bitcoin address. He first noticed something is wrong, when he tried to copy-paste his Monero address into another place as usual and the address suddenly started being refused for being invalid. The user Crawsh from /r/monero subreddit was one of the victims with such a story, but luckily for him, his story had a happy ending. We found three trojanized applications hosted on, which is one of the most popular software hosting sites in the world as its Alexa rank (163th) shows. Sometimes even such a basic and obvious advice might not save you from malware encounters. In today’s day and age, when you ask a security expert about some basic tips to stay safe on the web, one of the most important things he will probably tell you is to download software only from legitimate sources.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |