2 min read

A recently discovered Bitcoin malsapm campaign attempts to steal Bitcoins from potential victims by executing an attachment that installs a Windows clipboard hijacker for the theft.

My Online Security, a website which specializes in digital security first notified users of the issue.

The recipient received two different emails containing the same content and payload, under the subject:

“-FW: Review Your New Bitcoin International Investment Update 2019 -FW: Review BTC”

After failing to extract the WinZip files, but managing to do so after using 7zip & WINRAR, the encrypted content contained a JavaScript file, which further contained an embedded.exe. However, the user was unable to get the file to run.

After help from researchers and Twitter users, the recipient concludes that the ‘Task.exe’ program ‘is actually a clipboard hijacker malware that is based off the open source BitPing program created by a security researcher named A Shadow.’

According to Bleeping Computer:

“A cryptocurrency clipboard hijacker is malware that monitors the Windows Clipboard for certain data, and when detected, swaps it with different data that the attacker wants. In this particular case, Task.exe will monitor the Clipboard for bitcoin addresses, and if one is detected, will swap it for the 3MSghqkGW8QhHs6HD3UxNVp9SRpGvPkk5W address, which is owned by the attacker.”

The original report found that the malware file activates whenever the user copies or pastes in a Bitcoin wallet address. The malware will detect the copied addresses in the clipboard and replace them with the hackers own addresses, hoping the victim has not noticed the swap.

As such upon completion of payment sent, the coins would be sent to the hackers address and not the sender’s original intended address.

Best way to avoid situations such as this is not to open strange attachments from unknown contacts and make sure Windows is configured to display file extensions.

Source