Friday, March 29, 2024

New Clipboard Malware Monitors the Windows Clipboard for Cryptocurrency Addresses and Replace its Own Address

New Clipboard Malware variant discovered that abuse the users Copy-Paste habit and check the Cryptocurrency wallet to replaced its own wallet Address in the Clipboard.

Cryptocurrency Address is very unique and it is difficult to remember since its a very long length address with the combination of letters and numbers.

Whenever Users Copy something from their computer using Ctrl+C, the copied data will be stored in clipboard where the attacker gains the information using this new malware.

Clipboard is a shared memory area that you can copy data into and copy data from. All applications have access to this clipboard, data can be easily transferred between applications and windows provides APIs for managing clipboard.

A user always has a habit to copy such as Cryptocurrency Addresses that contain longer length, so Malware authors are exploiting this habit of copy-past habit and generate huge revenue.

Also, this will leads to face the huge loose if there will be some sensitive data such as bank data, Passwords, and other financial information.

How Does This Clipboard Malware Works

A malware variant discovered as  “Trojan.CBHAgent”. that is capable of monitoring the windows clipboard and check if the user copied the cryptocurrency addresses.

Once the malware detected it as cryptocurrency address then it will be replaced by one of the bitcoin address from the list maintained in the file and its little bit harder to identify it users until the manually verify it deeply.

Trojan.CBHAgent abuse the Windows API  to manipulate the clipboard data, Initially it drops the  DLL on victims system that will be run using rundll32.exe.

$> C:\WINDOWS\system32\rundll32.exe “C:\Documents and Settings\Administrator\Desktop\Sample\CBHAgent.dll”,includes_func_runnded

Here we can see the “includes_func_runnded” which is an exported function which performs the clipboard monitoring.

Also, this Clipboard Malware using ‘detection_VMx’ function to preventing its analysis being run in a virtual machine or not to evade the detection using an anti-VM check.

Make the analysis more difficult, Malware authors Packed the trojan file using a PECompact packer.

Researchers Identified the Plain text file that contains More than 2.3 million bitcoin addresses are listed out in the file which is used for search the targeted bitcoin wallet address.

According to QuickHeal analysis, “On execution, it starts monitoring clipboard data continuously and checks if there is any like bitcoin address. For validation, it uses a regular expression. Once matched, it will be replaced with an address present in the list. The Trojan is not affecting any data other than bitcoin addresses.”

This process is completely running in the background, so it’s very difficult to find it. Users need to double check the wallet address while copy-past and make sure the original wallet address is used.

Indicator of compromise:

48b66dd02a336eb049a784b3fd1beb5312fb8c078b3729d49e92e3e986c98e91

Also Read: 

Currency Stealer Malware “ComboJack” Targets Online Wallets by Replacing Clipboard(Copy&paste) Addresses

Hackers using .NET Malware Called “Evrial” to steals Bitcoins by Abusing the clipboard

Hackers Empty Target Bank Accounts Using Innovative BackSwap Malware

Hacker Selling Powerful SquirtDanger Malware in Underground Market that Take’s Screenshot, Steal Wallets & Browser Passwords

Website

Latest articles

IT and security Leaders Feel Ill-Equipped to Handle Emerging Threats: New Survey

A comprehensive survey conducted by Keeper Security, in partnership with TrendCandy Research, has shed...

How to Analyse .NET Malware? – Reverse Engineering Snake Keylogger

Utilizing sandbox analysis for behavioral, network, and process examination provides a foundation for reverse...

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles