Hackers could use computer clipboard to steal cryptocurrency

News by Rene Millman

New malware has been discovered that can steal cryptocurrency without cracking passwords, reading wallets, copying private keys, without even making any network connections.

New malware has been discovered that can steal cryptocurrency without cracking passwords, reading wallets, copying private keys, without even making any network connections.
According to a blog post by security researchers at Sophos, the malware, called Troj/Agent-AZHF, hijacks the copy and paste and switches out legit payment details and replaces them with scammers details.
The malware is programmed to rewrite a victim’s clipboard in the hope of tricking them into paying their favourite cryptocurrency to the wrong recipients - in this case, cyber-criminals.
The malware is packaged as a DLL. When Agent-AZHF is loaded for the first time, it copies itself into the AppData folder, using the same name under which it arrived on a victim’s hard disk.
Once active, the malware examines the contents of the clipboard four times a second, testing to see if the contents match particular patterns. If the malware finds a regexp match in the clipboard text, it replaces the matched text with a different address for the same cryptocurrency.
"This malware does a switcheroo in your clipboard," said Paul Ducklin, senior technologist at Sophos. "It switches out your Bitcoin recipients with one of more than 120,000 Bitcoin addresses created by the crooks, matching up the first few characters of the address in the hope you won't spot the deceit. We followed the money, checking out how many bitcoins had been paid into the huge list of addresses coded into the malware - the good news is that the crooks don't seem to have made a fortune, not yet, anyway, but the bad news is that a bunch of victims have lost money to this scam."
Dimitar Pavlov, vice president of Development at Luckbox, told SC Media UK that this type of attack is not unique to the crypto world. 
"It has been observed multiple times in the past, where a common scenario would be that the malware inserts a URL in the clipboard of the user. If the user would follow that URL, they are typically led to a fake security website, trying to scam them," he said.
"Having higher stakes in the crypto world could be seen as a more lucrative opportunity by malware producers, but the easy mitigation, combined with the low probability of success would push this type of attack to the sidelines of the malware world."
Alex Hinchliffe, threat intelligence analyst at Unit 42, Palo Alto Networks, told SC Media UK that Unit 42’s own research back in March about the ComboJack malware, which operates in the same way, found that attackers are hedging their bets, targeting multiple cryptocurrencies and multiple web based wallets, which means that no matter which currencies rise or fall they are able to profit. This type of attack will continue as long as it maintains a high level of profitability with a low level of risk for cyber-criminals.
"This is different from the other common type of crypto-targeted malware we often see, in this case attackers are using malware to steal currencies not mine them. Securely storing and always double checking payment information will go some way to stopping this type of attack. However, organisations should, as much as is possible, prevent this type of malware getting into the system in the first place. This malware is often spread through email, so best practice around email use will help prevent these types of attack. Organisations should also put in place systems which identify and block malicious activity and malware," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews