Researchers have discovered a new malware, named ComboJack, that is capable of detecting when users copy a cryptocurrency address to the Windows clipboard. The malware works by replacing this address with one owned by the cybercriminal.
This malware is similar to Evrial and CryptoShuffler. The difference between ComboJack and the two is that ComboJack supports multiple cryptocurrencies, not just Bitcoin.
This two malware can easily be detected and removed by a sharp cybersecurity solution like an antivirus.
According to researchers, ComboJack can detect when a user has copied a cryptocurrency address for Bitcoin, Litecoin, Ethereum, and Monero, and other digital payment systems such as Qiwi, Yandex Money, and WebMoney.
The malware is distributed through a malspam campaign targeting Japanese and American users.
The campaign follows the patterns seen last year with Dridex (banking trojan) and Locky (ransomware) campaigns.
It all starts when a cybercriminal sends to victims an email claiming to contain a scan of a lost passport. The file attachment with this email is in PDF format.
When the PDF is open, the file runs an RTF file that contains an embedded HTA object that tries to exploit the CVE-2017-8579 DirectX vulnerability.
Next, an HTA file contained within the RTF runs a series of PowerShell commands that download and execute a self-extracting executable (SFX).
This SFX file downloads and runs a password-protected SFX that then installs ComboJack.
ComboJack than gains boot persistence and starts scanning the Windows clipboard every half-a-second for new content. When the user copies a string that matches a known pattern for a cryptocurrency or payment system address, ComboJack replaces that address with one from an internal list.
Always double-check that the cryptocurrency payment addresses that are copied-pasted are identical in the source and destination locations.
Also, remember to practice good security habits: always use 2FA and always double check everything. Keep your system safe against this kind of cybersecurity threats by installing a reliable cybersecurity solution. Depending on which OS you are using, please install an antivirus for Mac or antivirus for Windows to be fully protected against all type of miners.