New Clipboard Malware variant discovered that abuse the users Copy-Paste habit and check the Cryptocurrency wallet to replaced its own wallet Address in the Clipboard.

Cryptocurrency Address is very unique and it is difficult to remember since its a very long length address with the combination of letters and numbers.

Whenever Users Copy something from their computer using Ctrl+C, the copied data will be stored in clipboard where the attacker gains the information using this new malware.

Clipboard is a shared memory area that you can copy data into and copy data from. All applications have access to this clipboard, data can be easily transferred between applications and windows provides APIs for managing clipboard.


A user always has a habit to copy such as Cryptocurrency Addresses that contain longer length, so Malware authors are exploiting this habit of copy-past habit and generate huge revenue.

Also, this will leads to face the huge loose if there will be some sensitive data such as bank data, Passwords, and other financial information.

How Does This Clipboard Malware Works

A malware variant discovered as  “Trojan.CBHAgent”. that is capable of monitoring the windows clipboard and check if the user copied the cryptocurrency addresses.

Once the malware detected it as cryptocurrency address then it will be replaced by one of the bitcoin address from the list maintained in the file and its little bit harder to identify it users until the manually verify it deeply.

Trojan.CBHAgent abuse the Windows API  to manipulate the clipboard data, Initially it drops the  DLL on victims system that will be run using rundll32.exe.

$> C:\WINDOWS\system32\rundll32.exe “C:\Documents and Settings\Administrator\Desktop\Sample\CBHAgent.dll”,includes_func_runnded

Here we can see the “includes_func_runnded” which is an exported function which performs the clipboard monitoring.

Also, this Clipboard Malware using ‘detection_VMx’ function to preventing its analysis being run in a virtual machine or not to evade the detection using an anti-VM check.

Make the analysis more difficult, Malware authors Packed the trojan file using a PECompact packer.

Researchers Identified the Plain text file that contains More than 2.3 million bitcoin addresses are listed out in the file which is used for search the targeted bitcoin wallet address.

According to QuickHeal analysis, “On execution, it starts monitoring clipboard data continuously and checks if there is any like bitcoin address. For validation, it uses a regular expression. Once matched, it will be replaced with an address present in the list. The Trojan is not affecting any data other than bitcoin addresses.”

This process is completely running in the background, so it’s very difficult to find it. Users need to double check the wallet address while copy-past and make sure the original wallet address is used.

Indicator of compromise:


Also Read: 

Currency Stealer Malware “ComboJack” Targets Online Wallets by Replacing Clipboard(Copy&paste) Addresses

Hackers using .NET Malware Called “Evrial” to steals Bitcoins by Abusing the clipboard

Hackers Empty Target Bank Accounts Using Innovative BackSwap Malware

Hacker Selling Powerful SquirtDanger Malware in Underground Market that Take’s Screenshot, Steal Wallets & Browser Passwords

BALAJI is a Former Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.


Please enter your comment!
Please enter your name here