A new clipboard hijacking malware has been discovered this June, specifically targeting cryptocurrency credentials on matching accounts, mainly destination addresses, most notably for Bitcoin and Etherium users. So far, it has infected an estimated 300,000 computers worldwide, with a huge percentage running on Windows.
In case you were wondering how this works, cryptocurrency transfers require users to copy a destination address from one application into the program they are using to send the money, which means, most, if not all, destination addresses in EVERY transaction involving cryptocurrency(the destination addresses are complex by nature, usually a combination of alphanumeric characters in a long string, so it’s quite difficult to manually input it) have been in the clipboard for at least once.
After acquiring the destination address, it replaces it with one of its own, usually the address of the attacker. Since it’s a complex set of characters in a string, users usually would not notice the change in the address, effectively sending the funds to the attacker on their own without their knowledge. Cryptocurrency has huge monetary value, so each transaction is a huge haul for the attacker. Now imagine that malware running on several computers performing several transactions within a single day.
The development of this hijacking malware, which is yet to be named, is clearly to take advantage of this behavior in cryptocurrency transactions.
So far, there hasn’t been any proof that other information, aside from destination addresses and access credentials, has been acquired by this malware.
One solution that we have at the moment is a manual one, since this is a new threat and a countermeasure hasn’t been officially applied. For now, we encourage all cryptocurrency traders to double check and cross check the destination addresses of each and every transaction, and make sure that you input your password without relying on the clipboard.
While this is not an entirely new threat (clipboard hijacks have been present for a while), the current vaccines for malware such as this might not be up-to-date on new developments of this threat. Nonetheless, we recommend users to update all devices and software, especially your antivirus, to prevent attacks from happening.