Meet ComboJack: new Trojan steals cryptocurrency using the data in the clipboard

Meet ComboJack: new Trojan steals cryptocurrency using the data in the clipboard

Researchers on problems of cybersecurity has discovered a new malware that can track down a copy of the cryptocurrency addresses in the Windows clipboard. At such moments, the program replaces the copied address to the address of the wallet of the attacker.

Named ComboJack, this malware is similar to Evrial and CryptoShuffler. The only difference between them is that the ComboJack “supports” many cryptocurrencies, not just Bitcoin.

According to Palo Alto Networks program ComboJack able to detect when a user copies a cryptocurrency addresses for Bitcoin, Litecoin, Monero and Ethereum and other digital payment systems such as Qiwi, Yandex Money and WebMoney (payment in US dollars and Russian rubles).

The company said that the malware found during the observation of a phishing e-mail campaign directed against the American and Japanese users.

Scheme of infection is quite complicated, but follows the patterns seen last year during the campaigns to distribute ransomware Dridex and Locky.

Attackers send an email that has no direct access to a potential victim. The letter contains the following: “in my office [somebody] forgot your passport”, please open the “scan document” and “check, do You know the owner.”

If the user downloads and opens this PDF file is an RTF file exploit CVE-2017-8759, which allows attackers to enter the code and run PowerShell commands used to load and execute ComboJack.

Once installed on the computer ComboJack uses the built in Windows tool attrib.exe which allows him to hide from the user and perform a process with high privileges.

ComboJack scans Windows clipboard every second there is new content. When the user copies the string that matches the address template cryptocurrency (or payment system), ComboJack replaces this address on one of its internal list. Users are advised to double check you copied the destination address of the cryptocurrency.

The following table shows the addresses used by the team ComboJack:

The tactics of the attackers based on the fact that the addresses of the wallets, as a rule, long and difficult to remember. Most users avoid mistakes, just copy this line to clipboard.Researchers from Palo Alto Networks said in its report:

Because ComboJack relies on the exploitation of the vulnerability that Microsoft fixed in September 2017, one of the possible ways of protection against Trojan can be update Windows to the latest version.

And remember that as it is impossible to open the door to strangers, and letters from unknown recipients to open is not worth it. And strange attachments and even more.

Let's Disqus