Cryptocurrency, the fairly new virtual payment measure, has outburst a several years ago and kept growing rapidly since then. The demand for such system was huge, because of the increasing online access and now we can’t imagine paying for certain services/products in any different way. However, while cryptocurrency does demonstrate plenty of advantages it is not completely perfect.
One of such imperfections is the long crypto wallet addresses made out of random uppercase and lowercase letters and numbers. Since rarely anyone types down things that they can simply copy and paste, this is what most cryptocurrency users will do with the recipient wallet address. And this is where the cyber crooks found a way to hack the process and steal your money by replacing the receiving address with theirs just in parts of a second when pasting it.
How CryptoCurrency Clipboard hijacker works
Back in May 2018, we have come across a very similar trojan called CryptoShuffler. It was initially released back in 2016, but only now as the cryptocurrency trend went viral it became more active. Over the past years, it managed to collect over $140,000 in BTC. Compared to the other malware this CryptoShuffler was extremely quiet and simple, but with such passive technique gained more than some really notorious ransomware.
All it did as a clipboard hijacker was simply monitoring what is being copied and if the address does match one of many stored in virus memory or looks like it is a virtual wallet address it would automatically be changed into the hacker’s wallet address unnoticeably. And if the victim did not double check if the copied and pasted addresses are matching the Bitcoins, Ethereum, Monero or any virtual currency would be transferred to the crooks. Same with the newest Clipboard Hijacker.
As Pierluigi Paganini, the cybersecurity expert from SecurityAffairs.co, wrote, the previous variants of this CryptoCurrency Clipboard Hijacker monitored 400 – 600k addresses, that is why no one expected to see such a huge database in the recently discovered 2.3 million address containing the virus.
In the video below you can see how actually the virus swaps the recipient’s address with one of its own.
How was the CryptoCurrency Clipboard hijacker found
The malware researchers noticed the Clipboard hijacker accidentally as a part of the Russian All-Radio 4.27 Portable malware package. This ‘nice’ bundle contained several threats like Trojans, miners, rootkits and CryptoCurrency Clipboard hijacker as well. The cryptovirus astonished by the huge, more than 80 Mb size file, which contained all the addresses.
Once the All-Radio Portable 4.27 package was installed, the virus downloaded a DLL file called d3dx11_31.dll and put together with newly created DirectX 11 autorun in Windows directory to start whenever the user opens the computer. Meaning that the virus will run in the background each time log-in, but silently without you noticing.
What ways can you protect yourself from Clipboard Crypto hijacker
Just like ClipboardWalletHijacker (which infected more than 300k Asian users), ComboJack or CryptoShuffler should be treated seriously if you want to make any payments online using cryptocurrency. Actually, it is not advisable to make even the simple bank transfers because you never know what to expect from a virus and if there are no other additional secretive threats.
Furthermore, if you do notice the All-Radio Portable malware pack in your system you can be sure that not only your PC contains the massive crypto hijacker but plenty of other spyware as well.
In order not to become a victim of the Clipboard Crypto hijacker, 2-viruses.com team advise you to:
- always be cautious and double check the cryptocurrency wallet address before the transaction
- routinely scan the computer with trustworthy antivirus/anti-malware program
- do not visit and interact with shady websites
- download software only from the original source
- don’t open attachments from unknown emails
If you already have noticed that your system has been infected, DO NOT make any new crypto coin transfers or enter any other personal information online and try removing the virus with Spyhunter or Malwarebytes.
Source: SecurityAffairs.co