In today’s day and age, when you ask a security expert about some basic tips to stay safe on the web, one of the most important things he will probably tell you is to download software only from legitimate sources. Sometimes even such a basic and obvious advice might not save you from malware encounters. We found three trojanized applications hosted on download.cnet.com, which is one of the most popular software hosting sites in the world as its Alexa rank (163th) shows.

The user Crawsh from /r/monero subreddit was one of the victims with such a story, but luckily for him, his story had a happy ending.

He first noticed something is wrong, when he tried to copy-paste his Monero address into another place as usual and the address suddenly started being refused for being invalid. As an aware and experienced user, he quickly suspected that malware was involved - and he was right: his investigation of what could be the cause eventually found that malware was indeed the cause. His copy-pasted wallet address was intercepted in the clipboard by malware and replaced with attacker’s hardcoded bitcoin address. Luckily for Crawsh, the replaced address is only valid for bitcoin and pasting his Monero address rendered it invalid and it was detected by the target application before any of his Monero was sent anywhere - this of course wasn’t the case for many others victims, who got infected by the same malware and tried to copy-paste their bitcoin addresses instead, which caused the attackers to receive 8.8 BTC in total to this day. As of 13th March 2018, it has an estimated value of about 80 000 USD. Crawsh eventually wrote a post with details about his case on /r/monero subreddit, where it was noticed by ESET's malware researchers, who then began investigation in order to help shed some light on the case and quickly found some very interesting information.

By searching for the attacker’s bitcoin address on Google, we were able to find some victims. For instance, someone published a blogpost about a website hack (not related to this malware stealer). However, in the text of the post, the original bitcoin address was replaced by the malware author’s address, as shown in the second picture. Thus, the blogpost author might be infected with the bitcoin stealer.

Distribution

We found out that the source of Crawsh’s infection was a trojanized Win32 Disk Imager application downloaded from download.com, where it has been hosted since May 2nd 2016.

ESET detects the trojanized application as a variant of MSIL/TrojanDropper.Agent.DQJ. The program was downloaded from CNET 311 times just in the last week and over 4500 times in total.

Later during the investigation, we found out that the Win32 Disk Imager is not the only trojanized application hosted on download.com and we know about at least 2 other cases from the same authors. The first one is CodeBlocks, which has already been blocked by CNET and contains the same MSIL/ClipBanker.DF payload. Code Blocks is a popular open-source IDE (Integrated Development Environment) used by many C/C++ developers.

The other one is MinGW-w64, which was available for download at the beginning of our investigation. It contains several malicious payloads including a bitcoin stealer and a virus. MinGW is basically a port of GCC (GNU Compiler Collection) for Microsoft Windows.

The statistics of popularity of the two are as follows (information directly from the download.com site). Note that the number of recent CodeBlocks downloads is 0, because it has been removed by CNET. We do not know the exact date of the removal, but our telemetry data indicates it might have been around March 2017.

 

After notification by ESET, CNET quickly removed these trojanized applications from their website.

Analysis

Trojanized dropper (MSIL/TrojanDropper.Agent.DQJ)

The first stage of the trojanized application is a very simple dropper, that extracts both the legitimate installer of given application (Win32DiskImager, CodeBlocks, MinGw) and the malicious payload from resources, saves both files into the %temp% folder and executes them.

Malware replacing wallets in clipboard (MSIL/ClipBanker.DF)

The payload is very similar to the dropper in terms of its simplicity - the program copies itself into %appdata%\Dibifu_8\go.exe path and adds itself into the registry run key to ensure persistence.

The bitcoin address replacement in the clipboard is achieved by a simple code 4-liner, that can be seen above, which looks for a bitcoin address with a regex and replaces it with attackers’ hardcoded wallet address: 1BQZKqdp2CV3QV5nUEsqSg1ygegLmqRygj.

The attackers didn’t really put much effort into hiding their intention, as even the debug symbol path of both the dropper and ClipBanker show their intentions. We think that "SF to CNET" means SourceForce to CNET, because all of the three applications have their clean instances on the source code storage.

C:\Users\Ngcuka\Documents\V\SF to CNET\Btc Clipboard Rig\WindowsFormsApplication1\obj\x86\Release\WindowsFormsApplication1.pdb

There are several additional indicators of compromise that the victims could look for. First, the payload and the trojanized package are dropped under y3_temp008.exe resp. Win32DiskImage_0_9_5_install.exe in the temporary directory and executed.

Another malware replacing wallets in clipboard (Win32/ClipBanker.DY)

The payload is dropped by the trojanized MinGW-w64 application. It is a slightly more sophisticated variant using similar regular expression for the wallet search:

Moreover, it contains additional malicious components encrypted in the resources, together with about ~3500 bitcoin addresses of the attackers, which are used to replace victim’s addresses with a similar address based on the first three characters of the key (truncated in the picture)

Additional payloads shipped with this bitcoin stealer also have PDB paths. One of them is: C:\Users\Ngcuka\Documents\V\Flash Spreader\obj\x86\Release\MainV.pdb. The username is identical as the one found in the PDB path of the first bitcoin stealer. Thus, we are confident all these malware samples were developed by the same author.

How to clean an infected system

  • Delete the downloaded installers called win32diskimager.exe (SHA1: 0B1F49656DC5E4097441B04731DDDD02D4617566) resp. codeblocks.exe (SHA1: 7242AE29D2B5678C1429F57176DDEBA2679EF6EB) resp. mingw-w64-install.exe (SHA1: 590D0B13B6C8A7E39558D45DFEC4BDE3BBF24918) from your Download folder location
  • Remove exe in the %appdata%\dibifu_8\ folder (SHA1: E0BB415E858C379A859B8454BC9BA2370E239266)
  • Remove y3_temp008.exe from %temp%\ folder (SHA1: 3AF17CDEBFE52B7064A0D8337CAE91ABE9B7E4E3, resp. C758F832935A30A865274AA683957B8CBC65DFDE )
  • Delete ScdBcd registry value from the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

During the course of our investigation, we notified CNET and they quickly removed the trojanized applications from their website, preventing additional infections.

If you have suspicion that you could have been compromised, install an AV solution that should remove the files automatically. The best advice against the clipboard-replacing attack is to double-check the copied addresses when doing transactions!!!

IoCs:

Trojanized apps:

win32diskimager.exe 0B1F49656DC5E4097441B04731DDDD02D4617566 MSIL/TrojanDropper.Agent.DQJ trojan
codeblocks.exe 7242AE29D2B5678C1429F57176DDEBA2679EF6EB MSIL/ClipBanker.EY trojan
mingw-w64-install.exe 590D0B13B6C8A7E39558D45DFEC4BDE3BBF24918 MSIL/TrojanDropper.Agent.DQJ trojan

ClipBankers:

mingw-w64 payload #1 BE33BDFD9151D0BC897EE0739F1137A32E4437D9 Win32/ClipBanker.DY trojan
mingw-w64 payload #2 2EABFFA385080A231156420F9F663DC237A9843B Win32/ClipBanker.DY trojan
mingw-w64 payload #3 7B1E9A6E8AF6D24D13F6C561399584BFBAF6A2B5 Win32/ClipBanker.DY trojan
codeblocks.exe payload E65AE5D0CE1F675962031F16A978F582CC67D3D5 MSIL/ClipBanker.AB trojan
win32diskimager.exe payload E0BB415E858C379A859B8454BC9BA2370E239266 MSIL/ClipBanker.DF trojan

Hat tip to Matthieu Faou, Alexis Dorais-Joncas, David Jagoš, Robert Šuman, Vladislav Straka and /u/Crawsh from reddit for their work on this investigation.