Hackers target Windows clipboard to steal cryptocurrency wallet addresses
New email-based malware dubbed as ComboJack is targeting Japanese and American web surfers to steal cryptocurrency during transactions. Once installed and lurking in the background, the malware grabs the victim’s long cryptocurrency wallet address stored in the Windows clipboard. Due to their extreme length, many users simply copy and paste that string of characters, and that is when ComboJack attacks.
Discovered by researchers at the Palo Alto Networks, it’s a variant of a cryptocurrency stealer called CryptoJack. It grabs the address of a victim’s cryptocurrency wallet coped to the clipboard and replaces it with the address of the hacker’s wallet. Thus, victims believe they are transferring digital currency to their personal virtual wallets when instead they’re unknowingly pasting a different destination into the transaction prior to completion.
CryptoShuffler was the first malware to use this stealing agent in 2017, but solely focused on Bitcoin. In 2018, ComboJack arrives to target not only Bitcoin investors, but Ethereum, Litecoin, Monero, and many other digital currencies. But the route this malware takes can be avoided by simply not opening an emailed attachment from untrusted sources.
According to the report, victims receive emails regarding a lost passport. The shady message requests that the victim view an attachment that’s supposedly a scanned passport in a PDF format for identification purposes. But once victims open the PDF, they are presented with a single line to open an embedded document. Inside this secondary file is an embedded remote object that attacks a security hole in Windows.
“An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory,” Microsoft’s database states. “An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
The embedded remote object downloads a two-part file, one part containing a self-extracting executable, and a second part containing password-protected components to create and install the final payload: ComboJack. The malware then uses a built-in Windows tool to give it system-level privileges, edits the registry to make sure it remains running in the background and enters into an infinite loop. ComboJack then checks the system clipboard every half second for a cryptocurrency wallet address.