Going through the previous comments especially that of
npole, I now understand that the attacker(s) used some really good obfuscation techniques to bypass detection systems.
I also believe that the attacker got a legit version of the Electrum BCD wallet and then modified it to contain his malicious payload.
I think a good prevention mechanism everyone should note is how to do data verification. In other words, I mean verification of MD5, SHA-1 and SHA-256 hashes. Its some cryptography stuffs!
So for an example, if Electrum releases a new version of software, they also release the checksum, which are random strings of text. Now, If I download that new release and I want to ensure file integrity, I run a hash function against that file and compare the result to what was shown on the official website; if they match, I then know that it is legit. If not, I know that it has been tampered with.
Its kind of what I think is best practice for critical systems such as where you store your financial data.
There's no way both the legit Electrum and modded Electrum's checksum can be the same except if you were MITM'ed whilst visiting a
non-https site.
A way to do this on Windows:
Open up Powershell and use the command:default is SHA-256
Get-FileHash C:\path\to\file.exe
To specify the hashing algorithm, (based on the official site's specification)
Get-FileHash C:\path\to\file.exe -Algorithm MD5
Get-FileHash C:\path\to\file.exe -Algorithm SHA1
Get-FileHash C:\path\to\file.exe -Algorithm SHA256
and then compare the result to the hash the official site released.
Linux users: (Any of the three depending on which you want to view)md5sum /path/to/file
sha1sum /path/to/file
sha256sum /path/to/file
Stay safe, all.