Windows Torrent File Malware Can Swap Out Crypto Addresses, Researcher Warns

New malware posing as a movie file from torrent website The Pirate Bay (TPB) can manipulate web pages and replace Bitcoin (BTC) and Ether (ETH) addresses, computing magazine Bleeping Computer reported Jan. 12.

The malware — originally thought to inject advertising on Google and in search results — in fact performs multiple actions, some of which were discovered by the publication’s own researcher Lawrence Abrams.

“What appeared to be an ad-injector into the main Google search page turned out to be only the tip of the iceberg,” the researchers warned.

The file containing malicious code poses as a movie file on TPB, specifically for the movie The Girl in the Spider's Web.

In reality, along with ads and manipulating search results to show certain links first, the malware is also able to swap out cryptocurrency wallet addresses for ones owned by the attacker. This occurs when users use the copy+paste function on Windows PCs, and has appeared previously in other malware.

“This tactic does not show any sign that could alert the user of the trick,” Bleeping Computer continued:

“Because the wallets are a large string of random characters, most users will likely not notice the difference between what they expected to copy and the pasted result.”

Other features are more easily noticeable, such as a fake banner that appears on Wikipedia inviting users to transfer BTC and ETH to specific addresses.

Cryptocurrency-related malware surged in 2018 despite a bear market meaning accumulated funds often lost value days or even hours after collection. As Cointelegraph reported, by September, detections had surged almost 500 percent compared with the previous year.

Last week, fresh research corroborated previous claims that between 4 and 5 percent of the altcoin Monero (XMR) in circulation had been mined using malware. That amount equates to around $56 million in profits, curators of the statistics said.