Bitcoin stealing malware that swaps user accounts with that of the attacker was found to be hosted on Download.com servers for nearly a year.
ESET researchers found three trojanised applications hosted on download.cnet.com, 163rd most visited site in the world according to Alexa rankings, and estimated that as of 13 March, the attacker managed to steal the equivalent of £57,431, according to a recent blog post.
The malware had been hosted on download.com since 2 May, 2016 and that it had been downloaded from CNET, the original creator of the domain, more than 4,500 times in total, the post said. The malware has since been removed, although researchers don't know the exact date of the removal they speculate it may have been around March 2017.
Researchers were alerted to the malware after a Reddit user posted about how they tried to copy and paste their Monero address as usual and was suddenly getting notifications that the address was refused for being invalid.
The source of the malware was a trojanised Win32 Disk Imager application downloaded from download.com. Upon inspection, researchers learned the malware intercepts wallet addresses that are copy and pasted in the clipboard and replaces them with the attackers own hardcoded bitcoin wallet address.
“By searching the attacker's bitcoin address on Google, we were able to find some victims. For instance, someone published a blogpost about a website hack (not related to this malware stealer),” researchers said in the post. “However, in the text of the post, the original bitcoin address was replaced by the malware author's address, as shown in the second picture. Thus, the blogpost author might be infected with the bitcoin stealer.”
Those who are affected can clean up their infected system by deleting the downloaded installers, removing the malicious folders and deleting the ScdBcd registry value from the key.