A new malware stealing cryptocurrencies such as Bitcoin, Ethereum, Dash, etc has been detected by Kaspersky Lab researchers. The new CryptoShuffler trojan is designed by cyber-criminals which changes the address of a users’ cryptocurrency wallet with the one owned by the malware creator.

Read the complete press release below

Kaspersky Lab researchers have discovered a new malware which steals cryptocurrencies from a user’s wallet by replacing their address with its own in the device’s clipboard. Criminals are targeting popular cryptocurrencies such as Bitcoin, Ethereum, Zcash, Dash, Monero and others. Indeed, criminals have already succeeded with bitcoin wallets, earning almost 100,000 dollars overall, according to our data. In addition, experts have found a new Trojan, designed for Monero mining, with some samples currently available in the wild.

With the cryptocurrency boom continuing across the world, it is fast becoming an attractive target for cybercriminals. Kaspersky Lab researchers have already seen a rise of miners, which have affected thousands of computers and generated hundreds of thousands of dollars. In addition, experts have noticed that criminals are starting to use less advanced techniques and are spending less time and resources in this area. According to the research, cryptocurrency stealers - which have been increasing in prevalence since 2014, are again putting users’ crypto savings at risk.

Kaspersky Lab researchers have discovered a new CryptoShuffler Trojan, designed to change the addresses of users’ cryptocurrency wallets in the infected device’s clipboard (a software facility used for short-term data storage). Clipboard hijacking attacks have been known for years, redirecting users to malicious websites and targeting online payments systems. However, cases involving a cryptocurrency host address are rare.

In most cryptocurrencies, if the user wants to transfer crypto coins to another user, they need to know the recipient’s wallet ID – a unique multi-digit number. Here is how the CryptoShuffler exploits the system’s need to operate with these numbers.

After initializing, the CryptoShuffler Trojan starts to monitor the device’s clipboard, utilized by users when making a payment. This involves copying wallets’ numbers and pasting them into the “destination address” line of the software that is used to carry out a transaction. The Trojan replaces the user's wallet with one owned by the malware creator, meaning when the user pastes the wallet ID to the destination address line, it is not the address they originally intended to send money to. As a result, the victim transfers his or her money directly to the criminals, unless an attentive user spots the sudden replacement.

The latter is usually not the case, since multi-digit numbers and the wallets' addresses in blockchain are typically very difficult to remember. Therefore, it’s hard to define any distinctive features in the transaction line, even if it is directly in front of the user’s eyes.

Destination replacement in the clipboard occurs instantly, thanks to the simplicity of searching for wallet addresses: the majority of cryptocurrency wallets have a constant position in the transaction line and always use a certain number of characters. Thus, intruders can easily create regular codes to replace them. Based on the research, CryptoShuffler works with a wide range of the most popular cryptocurrencies, such as Bitcoin, Ethereum, Zcash, Dash, Monero and others.