Dangerous malware hosted on Download.com stealing bitcoin for years


In today’s day and age, when you ask a security expert about some basic tips to stay safe on the web, one of the most important things he will probably tell you is to download software only from legitimate sources. Sometimes even such a basic and obvious advice might not save you from malware encounters. We found three trojanized applications hosted on download.cnet.com, which is one of the most popular software hosting sites in the world as its Alexa rank (163th) shows.

The user Crawsh from /r/monero subreddit was one of the victims with such a story, but luckily for him, his story had a happy ending.


He first noticed something is wrong, when he tried to copy-paste his Monero address into another place as usual and the address suddenly started being refused for being invalid. As an aware and experienced user, he quickly became investigating, what may be the cause and eventually found out, that it was caused by malware – and he was right. His copy-pasted wallet address was intercepted in clipboard by a malware and replaced with attacker’s hardcoded bitcoin address. Luckily for Crawsh, the replaced address is only valid for bitcoin and patching Monero address rendered it invalid and it was detected by the target application before any of his Monero was sent anywhere – this of course wasn’t the case for many others victims, who got infected by the same malware and tried to copy-paste their bitcoin addresses instead, which caused the attackers to receive 8.8 BTC in total to this day. At the date of 13th March 2018, it has an estimated value of about 80 000 USD. Crawsh eventually wrote a post with details about his case on /r/monero subreddit, where it was noticed by our Malware Researcher, who then began investigation in order to help and shed some light on the case and quickly found very interesting information.

By searching the attacker’s bitcoin address on Google, we were able to find some victims. For instance, someone published a blogpost about a website hack (not related to this malware stealer). However, in the text of the post, the original bitcoin address was replaced by the malware author’s address, as shown in the second picture. Thus, the blogpost author might be infected with the bitcoin stealer.




We found out, that the source of the Crawsh’s infection was a trojanized Win32 Disk Imager application downloaded from download.com, where it has been hosted since 2nd May 2016.

ESET detects the trojanized application as a variant of MSIL/TrojanDropper.Agent.DQJ. The program was downloaded from CNET 311 times just in the last week and over 4500 times in total.


Later during the investigation, we found out that the Win32 Disk Imager is not the only trojanized application hosted on download.com and we know about at least 2 other cases from the same authors. The first one is CodeBlocks, which has already been blocked by CNET and contains the same MSIL/CLipBanker.DF payload. Code Blocks is a popular open-source IDE (Integrated Development Environment) used by many C/C++ developers.


The other one is MinGW-w64, which was available for download at the beginning of our investigation. It contains several malicious payloads including a bitcoin stealer and a virus. MinGW is basically a port of GCC (GNU Compiler Collection) for Microsoft Windows.


The statistics of popularity of the two are as follows (information directly from the download.com site). Note that the number of recent CodeBlocks downloads is 0, because it has been removed by CNET. We do not know the exact date of the removal, but our telemetry data indicates it might have been around March2017.


After notification by ESET, CNET quickly removed these trojanized applications from their website.


Trojanized dropper (MSIL/TrojanDropper.Agent.DQJ)

The first stage of the trojanized application is a very simple dropper, that extracts both, the legitimate installer of given application (Win32DiskImager, CodeBlocks, MinGw) and the malicious payload from resources, saves both files into %temp% folder and executes them.


Malware replacing wallets in clipboard (MSIL/ClipBanker.DF)

The payload is very similar to the dropper in terms of its simplicity – the program copies itself into %appdata%\Dibifu_8\go.exe path and adds itself into the registry run key to ensure persistence.


The bitcoin address replacement in clipboard is achieved by a simple code 4-liner, that can be seen below, which looks for a bitcoin address with a regex and replaces it with attackers’ hardcoded wallet address: 1BQZKqdp2CV3QV5nUEsqSg1ygegLmqRygj.

The attackers didn’t really put much effort into hiding their intention, as even the debug symbol path of both the dropper and ClipBanker show their intentions. We think that “SF to CNET” means SourceForce to CNET, because all of the three applications have their clean instances on the source code storage.

C:\Users\Ngcuka\Documents\V\SF to CNET\Btc Clipboard Rig\WindowsFormsApplication1\obj\x86\Release\WindowsFormsApplication1.pdb


There are several additional indicators of compromise that the victims could look for. First, the payload and the trojanized package are dropped under y3_temp008.exe resp. Win32DiskImage_0_9_5_install.exe in the temporary directory and executed.

Another malware replacing wallets in clipboard (Win32/ClipBanker.DY)

The payload is dropped by the trojanized MinGW-w64 application. It is a slightly more sophisticated variant using similar regular expression for the wallet search:


Moreover, it contains additional malicious components encrypted in the resources, together with about ~3500 bitcoin addresses starting with 1 (truncated in the picture):


Additional payloads shipped with this bitcoin stealer also has PDB paths. One of them is: C:\Users\Ngcuka\Documents\V\Flash Spreader\obj\x86\Release\MainV.pdb. The username is identical as the one found in the PDB path of the first bitcoin stealer. Thus, we are confident all these malware were developed by the same author.

How to clean an infected system

  • Delete the downloaded installers called win32diskimager.exe (SHA1: 0B1F49656DC5E4097441B04731DDDD02D4617566) resp. codeblocks.exe (SHA1: 7242AE29D2B5678C1429F57176DDEBA2679EF6EB) resp. mingw-w64-install.exe (SHA1: 590D0B13B6C8A7E39558D45DFEC4BDE3BBF24918) from your Download folder location
  • Remove exe in the %appdata%\dibifu_8\ folder (SHA1: E0BB415E858C379A859B8454BC9BA2370E239266)
  • Remove y3_temp008.exe from %temp%\ folder (SHA1: 3AF17CDEBFE52B7064A0D8337CAE91ABE9B7E4E3, resp. C758F832935A30A865274AA683957B8CBC65DFDE )
  • Delete ScdBcd registry value from the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

During the course of our investigation, we notified CNET and they quickly removed the trojanized applications from their website, preventing additional infections.

If you have suspicion that you could have been compromised, install an AV solution that should remove the files automatically. The best advice against the clipboard replacing attack is to double check the copied addresses when doing transactions!!!


Trojanized apps:

win32diskimager.exe 0B1F49656DC5E4097441B04731DDDD02D4617566 MSIL/TrojanDropper.Agent.DQJ trojan
codeblocks.exe 7242AE29D2B5678C1429F57176DDEBA2679EF6EB MSIL/ClipBanker.EY trojan
mingw-w64-install.exe 590D0B13B6C8A7E39558D45DFEC4BDE3BBF24918 MSIL/TrojanDropper.Agent.DQJ trojan


mingw-w64 payload #1 BE33BDFD9151D0BC897EE0739F1137A32E4437D9 Win32/ClipBanker.DY trojan
mingw-w64 payload #1 2EABFFA385080A231156420F9F663DC237A9843B Win32/ClipBanker.DY trojan
mingw-w64 payload #1 7B1E9A6E8AF6D24D13F6C561399584BFBAF6A2B5 Win32/ClipBanker.DY trojan
codeblocks.exe payload E65AE5D0CE1F675962031F16A978F582CC67D3D5 MSIL/ClipBanker.AB trojan
win32diskimager.exe payload E0BB415E858C379A859B8454BC9BA2370E239266 MSIL/ClipBanker.DF trojan


MinGW-w64: http://download.cnet.com/MinGW-w64/3000-2069_4-77411782.html

Win32 Disk imager: http://download.cnet.com/Win32-Disk-Imager/3000-2242_4-76554991.html

CodeBlocks: http://download.cnet.com/Code-Blocks/3000-2212_4-10516243.html

written by Peter Kalnai, ESET We Live Security

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s