Researchers uncovered a new malware campaign spreading a clipboard hijacker dubbed ClipboardWalletHijacker that has already infected over 300,000 computers.

Security researchers from Qihoo 360 Total Security have spotted a new malware campaign spreading a clipboard hijacker, tracked as ClipboardWalletHijacker, that has already infected over 300,000 computers. Most of the victims are located in Asia, mainly China.

“Recently, 360 Security Center discovered a new type of actively spreading CryptoMiner, ClipboardWalletHijacker. The Trojan monitors clipboard activity to detect if it contains the account address of Bitcoin and Ethereum.” reads the analysis published by the company.

“It tampers with the receiving address to its own address to redirect the cryptocurrency to its own wallet. This kind of Trojans has been detected on more than 300 thousand computers within a week.”

Modus operandi for ClipboardWalletHijacker is not a novelty, the malware is able to monitor the Windows clipboard looking for Bitcoin and Ethereum addresses and replace them with the address managed by the malware’s authors.

In March 2018, researchers at Palo Alto Networks discovered a malware dubbed ComboJack that is able of detecting when users copy a cryptocurrency address and alter clipboards to steal cryptocurrencies and payments.

In a similar way, ClipboardWalletHijacker aims at hijacking BTC and ETH transactions.

Experts observed the malware using the following addresses when replacing legitimate ones detected in users’ clipboards:

BTC: 1FoSfmjZJFqFSsD2cGXuccM9QMMa28Wrn1

1FoSfmjZJFqFSsD2cGXuccM9QMMa28Wrn1 BTC: 19gdjoWaE8i9XPbWoDbixev99MvvXUSNZL

19gdjoWaE8i9XPbWoDbixev99MvvXUSNZL ETH: 0x004D3416DA40338fAf9E772388A93fAF5059bFd5

below the function the replace the legitimate Ethereum wallet address with the attackers’ one:

By replacing the address with the following one: “0x004D3416DA40338fAf9E772388A93fAF5059bFd5” the hackers have successfully hijacked 46 transactions.

Below the balances of these addresses:

Hackers have stolen a total 0.12434321 BTC from eight transactions and no Ether, for a total of around $800.

Recently Qihoo discovered many other miners, such as TaksHostMiner and WagonlitSwfMiner that infected dozens of thousands of machines.

“Recently, we have found that a lot of CryptoMiner Trojans are using this technique to steal victims’ cryptocurrencies.” concludes the company. “We strongly recommend users to enable antivirus software while installing new applications. Users are also recommended to run virus scan with 360 Total Security to avoid falling victim to CryptoMiner.”

Pierluigi Paganini

( Security Affairs – ClipboardWalletHijacker, cryptocurrency)

Share this...

Linkedin Reddit Pinterest

Share On