Saturday, October 5, 2024
HomeMalwareNew Clipboard Malware Monitors the Windows Clipboard for Cryptocurrency Addresses and Replace...

New Clipboard Malware Monitors the Windows Clipboard for Cryptocurrency Addresses and Replace its Own Address

Published on

New Clipboard Malware variant discovered that abuse the users Copy-Paste habit and check the Cryptocurrency wallet to replaced its own wallet Address in the Clipboard.

Cryptocurrency Address is very unique and it is difficult to remember since its a very long length address with the combination of letters and numbers.

Whenever Users Copy something from their computer using Ctrl+C, the copied data will be stored in clipboard where the attacker gains the information using this new malware.

- Advertisement - EHA

Clipboard is a shared memory area that you can copy data into and copy data from. All applications have access to this clipboard, data can be easily transferred between applications and windows provides APIs for managing clipboard.

A user always has a habit to copy such as Cryptocurrency Addresses that contain longer length, so Malware authors are exploiting this habit of copy-past habit and generate huge revenue.

Also, this will leads to face the huge loose if there will be some sensitive data such as bank data, Passwords, and other financial information.

How Does This Clipboard Malware Works

A malware variant discovered as  “Trojan.CBHAgent”. that is capable of monitoring the windows clipboard and check if the user copied the cryptocurrency addresses.

Once the malware detected it as cryptocurrency address then it will be replaced by one of the bitcoin address from the list maintained in the file and its little bit harder to identify it users until the manually verify it deeply.

Trojan.CBHAgent abuse the Windows API  to manipulate the clipboard data, Initially it drops the  DLL on victims system that will be run using rundll32.exe.

$> C:\WINDOWS\system32\rundll32.exe “C:\Documents and Settings\Administrator\Desktop\Sample\CBHAgent.dll”,includes_func_runnded

Here we can see the “includes_func_runnded” which is an exported function which performs the clipboard monitoring.

Also, this Clipboard Malware using ‘detection_VMx’ function to preventing its analysis being run in a virtual machine or not to evade the detection using an anti-VM check.

Make the analysis more difficult, Malware authors Packed the trojan file using a PECompact packer.

Researchers Identified the Plain text file that contains More than 2.3 million bitcoin addresses are listed out in the file which is used for search the targeted bitcoin wallet address.

According to QuickHeal analysis, “On execution, it starts monitoring clipboard data continuously and checks if there is any like bitcoin address. For validation, it uses a regular expression. Once matched, it will be replaced with an address present in the list. The Trojan is not affecting any data other than bitcoin addresses.”

This process is completely running in the background, so it’s very difficult to find it. Users need to double check the wallet address while copy-past and make sure the original wallet address is used.

Indicator of compromise:

48b66dd02a336eb049a784b3fd1beb5312fb8c078b3729d49e92e3e986c98e91

Also Read: 

Currency Stealer Malware “ComboJack” Targets Online Wallets by Replacing Clipboard(Copy&paste) Addresses

Hackers using .NET Malware Called “Evrial” to steals Bitcoins by Abusing the clipboard

Hackers Empty Target Bank Accounts Using Innovative BackSwap Malware

Hacker Selling Powerful SquirtDanger Malware in Underground Market that Take’s Screenshot, Steal Wallets & Browser Passwords

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Prince Ransomware Hits UK and US via Royal Mail Phishing Scam

A new ransomware campaign targeting individuals and organizations in the UK and the US...

Microsoft, DOJ Dismantle Domains Used by Russian FSB-Linked Hacking Group

Microsoft and the U.S. Department of Justice (DOJ) have successfully dismantled a network of...

Cloud Penetration Testing Checklist – 2024

Cloud Penetration Testing is a method of actively checking and examining the Cloud system...

Linux Malware perfctl Attacking Millions of Linux Servers

Researchers have uncovered a sophisticated Linux malware, dubbed "perfctl," actively targeting millions of Linux...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

DCRAt Attacking Users Via HTML Smuggling To Steal Login Credentials

In a new campaign that is aimed at users who speak Russian, the modular...

LummaC2 Stealer Leverages Customized Control Flow Indirection For Execution

The LummaC2 obfuscator employs a novel control flow protection scheme designed specifically for its...

Octo2 Android Malware Attacking To Steal Banking Credentials

The original threat actor behind the Octo malware family has released a new variant,...