Researchers uncovered a new malware campaign spreading a clipboard hijacker dubbedClipboardWalletHijacker that has already infected over 300,000 computers.
Security researchers from Qihoo 360 Total Security have spotted a new malware campaign spreading a clipboard hijacker, tracked asClipboardWalletHijacker, that has already infected over 300,000 computers. Most of the victims are located in Asia, mainly China.
“Recently, 360 Security Center discovered a new type of actively spreading CryptoMiner, ClipboardWalletHijacker. The Trojan monitors clipboard activity to detect if it contains the account address of Bitcoin and Ethereum.” reads the analysis published by the company.
“It tampers with the receiving address to its own address to redirect the cryptocurrency to its own wallet. This kind of Trojans has been detected on more than 300 thousand computers within a week.”
Modus operandi forClipboardWalletHijacker is not a novelty, the malware is able to monitor the Windows clipboard looking for Bitcoin and Ethereum addresses and replace them with the address managed by the malware’s authors.
In March 2018, researchers atPalo Alto Networks discovered a malware dubbed ComboJack that is able of detecting when users copy a cryptocurrency address and alter clipboards to steal cryptocurrencies and payments.
In a similar way,ClipboardWalletHijacker aims at hijacking BTC and ETH transactions.
Experts observed the malware using the following addresses when replacing legitimate onesdetected in users’ clipboards:
- BTC:1FoSfmjZJFqFSsD2cGXuccM9QMMa28Wrn1
- BTC:19gdjoWaE8i9XPbWoDbixev99MvvXUSNZL
- ETH:0x004D3416DA40338fAf9E772388A93fAF5059bFd5
By replacing the address with the following one: “0x004D3416DA40338fAf9E772388A93fAF5059bFd5” the hackers have successfully hijacked 46 transactions.
Below the balances of these addresses:
- https://blockchain.info/address/1FoSfmjZJFqFSsD2cGXuccM9QMMa28Wrn1
- https://blockchain.info/address/19gdjoWaE8i9XPbWoDbixev99MvvXUSNZL
- https://etherscan.io/address/0x004D3416DA40338fAf9E772388A93fAF5059bFd5
Hackers have stolen a total 0.12434321 BTC from eight transactions and no Ether, for a total of around $800.
Recently Qihoo discovered many other miners, such asTaksHostMinerandWagonlitSwfMinerthat infected dozens of thousands of machines.
“Recently, we have found that a lot of CryptoMiner Trojans are using this technique to steal victims’ cryptocurrencies.” concludes the company. “We strongly recommend users to enable antivirus software while installing new applications. Users are also recommended to run virus scan with 360 Total Security to avoid falling victim to CryptoMiner.”
(Security Affairs– ClipboardWalletHijacker, cryptocurrency)