While cryptocurrency has seen tremendous growth over the past year, sending cryptocoins still requires users to send the coins to long and hard to remember addresses. Due to this, when sending cryptocoins, many users will simply copy the address into memory from one application and paste it into another application that they are using to send the coins.

Attackers recognize that users are copying and pasting the addresses and have created malware to take advantage of this. This type of malware, called CryptoCurrency Clipboard Hijackers, works by monitoring the Windows clipboard for cryptocurrency addresses, and if one is detected, will swap it out with an address that they control. Unless a user double-checks the address after they paste it, the sent coins will go to an address under the attackers control instead the intended recipient.

While we have covered cryptocurrency clipboard hijackers in the past and they are not new, most of the previous samples monitored for 400-600 thousand cryptocurrency addresses. This week BleepingComputer noticed a sample of this type of malware that monitors for a over 2.3 million cryptocurrency addresses!

2.3 million cryptocurrency addresses being monitor by malware

To illustrate how this malware will replace cryptocurrency addresses found within the Windows clipboard, we have created the video below.

In the video above you can see how the malware takes a cryptocurrency address copied into the Windows clipboard and replaces it with another one under their control. Unless a user double-checks the pasted address, they will have no idea that this swap took place.

How the infection loads

This infection was spotted as part of the All-Radio 4.27 Portable malware package that was distributed this week. When installed, a DLL named d3dx11_31.dll will be downloaded to the Windows Temp folder and an autorun called "DirectX 11" will be created to run the DLL when a user logs into the computer.

This DLL will be executed using rundll32.exe with the "rundll32 C:\Users\[user-name]\AppData\Local\Temp\d3dx11_31.dll,includes_func_runnded" command.

Rundll32.exe launching the infection

Protecting yourself from clipboard hijackers

As malware like this runs in the background with no indication that it is even running, is it not easy to spot that you are infected. Therefore it is important to always have a updated antivirus solution installed to protect you from these types of threats.

It is also very important that all cryptocurrency users to double-check any addresses that they are sending cryptocoins to before they actually send them. This way you can spot whether an address has been replaced with a different one than is intended.