Breaking: Torrent Malware That Phishes Crypto Currently Doing The Rounds Online

It has recently come to light that a new strain of malware that is currently circulating across a host of different Torrent websites is infecting the machines of crypto owners that make use of the Windows OS. To be even more specific, the malware comes encapsulated within various popular illegal movie files which once downloaded compromise the integrity of our computer’s security protocols.

As mentioned earlier, the malware’s native script is embedded within various movie files that can presently be found online and shared via torrent. The code is designed to execute a complex chain of commands so as to infect one’s internet browser — which ultimately results in the malware switching “BTC/ ETH addresses displayed in web pages for new addresses controlled by the malware creator”.

The code was recently unearthed by an independent researcher called ’@0xffff0800’. Upon presenting his findings online, security website ‘Bleeping Computer’ delved even deeper into the matter so as to dissect the malicious software completely.

As per a recent tweet released by 0xffff0800, the harmful script has been posing as a .avi file while actually being a .LNK data container — an extension that is commonly used by Windows to point to an executable file.

As soon as a user clicks on the .LNK file, the malware launches Windows PowerShell— a command line interface normally used to run system administration tasks. By gaining this level of access to one’s PC, the malicious code is then able to systematically disable our device’s security protocols (such as the native Windows Defender virus protection system along with any other antivirus programs). Not only that but it also forcibly installs certain extensions on both Firefox and Chrome browsers so as to make its task easier in the future.

When either of the aforementioned browsers are opened, the malicious extensions are automatically able to “change the text of a webpage without the users' knowledge”. In addition to all this, the malware also injects specific code into one’s everyday web pages which then force the appearance of unwanted adverts on our screens.

One of the first attacks that the malware deploys is that of introducing a malicious donation link to any Wikipedia page that a person might visit. Similarly, the other attack is carried out via a function named ‘findAndReplaceWalletAddresses’ which uses one’s regular expression searches to “detect when a bitcoin or Ethereum address has been copied to the native Windows clipboard, following which it substitutes a new address for the pasted result”.

At the time of writing this article, the aforementioned scammy bitcoin wallet listed on the fake Wikipedia page has received a total of $70.92 while the other fraudulent wallet has been able to amass $13.10.

With that being said, it is worth noting that both of the aforementioned wallets have made one outgoing transaction— wherein they sent $5,400 and $3,134 respectively to two other addresses.

299 +