Sunday, June 16, 2024

New Clipboard Malware Monitors the Windows Clipboard for Cryptocurrency Addresses and Replace its Own Address

New Clipboard Malware variant discovered that abuse the users Copy-Paste habit and check the Cryptocurrency wallet to replaced its own wallet Address in the Clipboard.

Cryptocurrency Address is very unique and it is difficult to remember since its a very long length address with the combination of letters and numbers.

Whenever Users Copy something from their computer using Ctrl+C, the copied data will be stored in clipboard where the attacker gains the information using this new malware.

Clipboard is a shared memory area that you can copy data into and copy data from. All applications have access to this clipboard, data can be easily transferred between applications and windows provides APIs for managing clipboard.

A user always has a habit to copy such as Cryptocurrency Addresses that contain longer length, so Malware authors are exploiting this habit of copy-past habit and generate huge revenue.

Also, this will leads to face the huge loose if there will be some sensitive data such as bank data, Passwords, and other financial information.

How Does This Clipboard Malware Works

A malware variant discovered as  “Trojan.CBHAgent”. that is capable of monitoring the windows clipboard and check if the user copied the cryptocurrency addresses.

Once the malware detected it as cryptocurrency address then it will be replaced by one of the bitcoin address from the list maintained in the file and its little bit harder to identify it users until the manually verify it deeply.

Trojan.CBHAgent abuse the Windows API  to manipulate the clipboard data, Initially it drops the  DLL on victims system that will be run using rundll32.exe.

$> C:\WINDOWS\system32\rundll32.exe “C:\Documents and Settings\Administrator\Desktop\Sample\CBHAgent.dll”,includes_func_runnded

Here we can see the “includes_func_runnded” which is an exported function which performs the clipboard monitoring.

Also, this Clipboard Malware using ‘detection_VMx’ function to preventing its analysis being run in a virtual machine or not to evade the detection using an anti-VM check.

Make the analysis more difficult, Malware authors Packed the trojan file using a PECompact packer.

Researchers Identified the Plain text file that contains More than 2.3 million bitcoin addresses are listed out in the file which is used for search the targeted bitcoin wallet address.

According to QuickHeal analysis, “On execution, it starts monitoring clipboard data continuously and checks if there is any like bitcoin address. For validation, it uses a regular expression. Once matched, it will be replaced with an address present in the list. The Trojan is not affecting any data other than bitcoin addresses.”

This process is completely running in the background, so it’s very difficult to find it. Users need to double check the wallet address while copy-past and make sure the original wallet address is used.

Indicator of compromise:


Also Read: 

Currency Stealer Malware “ComboJack” Targets Online Wallets by Replacing Clipboard(Copy&paste) Addresses

Hackers using .NET Malware Called “Evrial” to steals Bitcoins by Abusing the clipboard

Hackers Empty Target Bank Accounts Using Innovative BackSwap Malware

Hacker Selling Powerful SquirtDanger Malware in Underground Market that Take’s Screenshot, Steal Wallets & Browser Passwords


Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles