New malware ComboJack steals users’ wallet addresses from their clipboards

Detected by Palo Alto Networks, a Trojan-like malware CryptoJack replaces a wallet address the user copied to the clipboard with an attacker’s address which sends funds into the attacker’s wallet.

First this malspam campaign was noticed on the morning of February 25, 2018, by Unit 42 and Proofpoint researchers. The campaign seemed to specifically target Japanese and American users.

Besides cryptocurrencies, ComboJack targets digital currencies such as WebMoney and Yandex Money. ComboJack understands which form of currency a wallet address is using by the length of the text and the starting letter or number.

This type of hack was first utilized by CryptoShuffler malware in 2017.

How it operates

In order to install the malware and hijack the victim’s machine, the hacker(s) sent out malspam campaigns urging users to open a PDF in order to identify whether or not they know the owner of a supposed lost passport. The PDF contained an embedded RTF file which contained an embedded remote object. This remote object in its turn contained encoded PowerShell commands which downloaded and finally executed a malware file.

The initially downloaded file is a self-extracting executable (SFX). Once ComboJack is extracted it begins by copying itself to a specified location on a user’s system drive. It then uses the built-in Windows tool, attrib.exe (used for setting file attributes), to set both hidden and system attributes to itself. This hides the file from the user and allows it to execute with system-level privileges. After making an entry in the system registry, ComboJack enters into an infinite loop: Every half second it checks the contents of the clipboard and tries to determine if the victim has copied any wallet information for various digital currencies.

When found, ComboJack will replace the address with a hardcoded attacker’s address hoping the victim will accidentally send money to the wrong address.

The exploit being used by ComboJack has previously been patched by Microsoft, so users can protect themselves by updating the operating system. But as cryptocurrencies continue to rise, it is likely we will see more and more malware targeting owners of crypto funds.

Related News

Celsius’ Top 3 Executives Cashed Out $42 Million in Crypto Prior to Bankruptcy

The newly released court documents reveal that the top three executives of cryptocurrency lender Celsius took $42.13 million in crypto between May and June 2022, just before the business ceased withdrawals

Read-more

US Acting Comptroller Advises Against Hasty Cryptocurrency Legislation

Acting Comptroller of the Currency of the United States, Michael Hsu, advised his fellow regulators not to compromise their standards while dealing with cryptocurrencies under the threat of

Read-more

Monthly Fees Imposed on Crypto Companies in Uzbekistan

According to new laws that officials have suggested, cryptocurrency companies in Uzbekistan would be required to pay fees to the state. The fees differ based on the type of business and might be as high as $11,000

Read-more

Ukraine’s capital Kyiv may start accepting Bitcoin in public transport

Authorities at the Kyiv City State Administration (KCSA) are reportedly included Bitcoin in its Vision 2024 development program

Read-more