ComboJack malware switches Bitcoin wallets in Windows clipboard

Online thieves are spamming PC users with malware that monitors the clipboard for Bitcoin and other cryptocurrency wallets and switches it to an attacker's address. 

The malware, dubbed “CryptoJack”, facilitates theft of a range of cryptocurrencies by constantly checking for payment addresses stored in the Windows clipboard and replacing the intended address with one the attacker controls. 

It’s just the latest scam in the cryptocurrency free-for-all that’s spawned the lucrative malicious miner trend to malware that steals Bitcoin from ransomware attackers. 

in January researchers at Proofpoint discovered malware that steals Bitcoin ransomware payments from victims en route, via Tor, to their ransomware attacker, similarly by switching the intended payment address. So, not only did the ransomware attacker not receive their ransom, victims likely wouldn't receive the keys to decrypt their computers.

Prior to this a trojan called Envrial was observed monitoring the Windows clipboard for Bitcoin payment addresses and switching them to an attacker’s address. 

Researchers Palo Alto Networks Unit 42 and Proofpoint spotted the CryptoJack malicious spam campaign on February 25 targeting Japanese and US users. 

The spam includes a PDF attachment that tempts the victim to open it by claiming it contains details about a lost passport. The PDF contained an embedded RTF file that if clicked open exploits an elevation of privilege  flaw Microsoft released a patch for last June. It contains an embedded HTA file, which leads to a PowerShell command that downloads and executes ComboJack. 

One installed, ComboJack enters a loop that checks the content of the clipboard every half a second and validates that it contains wallet information for a range of currencies. 

The malware scans for the certain length strings associated with popular currencies, including Ethereum, Monero, Bitcoin, Litecoin, Qiwi, WebMoney in Rubles and USD, and Yandex Money.  

If a relevant wallet is detected ComboJack replaces the wallet with a hardcoded wallet under the attacker’s control. 

As Unit 42 researchers note, the attackers target the clipboard on the likely correct assumption that users will copy an address to the clipboard because the string is typically long, complex and must be correct to ensure it reaches the right address.    


Join the newsletter!

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags Bitcoincryptocurrencyethereum

More about MicrosoftPalo Alto NetworksProofpoint

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

More videos

Blog Posts