The average crypto user relies on their clipboard to move wallet addresses from one place to another. This dynamic makes crypto payments very straightforward and user-friendly, but also opens users up to potential threats. If an attacker cannot compromise wallets on either end, and fears that users will not pay ransom for their data, what can they do?
The easiest answer seems to be: Attack the operating system!
Windows clipboard has been shown to be vulnerable to trojans in times past, such as CryptoShuffler. The end goal of Evrial and CryptoShuffler is the same, replace the wallet address on a user clipboard with a new address, which links to them. Once the user hits paste, the new address is injected into the “To” field, and the hacker receives easy money.
How does the hack work?
Perpetrators have to spread their trojan to their victim, which normally includes social engineering efforts, such as spear phishing, or using malicious email attachments to infect a user’s machine. As the gig economy grows, however, social engineering attacks are likely to grow in frequency due to document exchange between untrusted persons.
After the machine has been infected, the malware lies in wait for a user to fire up their favorite wallet software and copy a wallet address. Once the address has been copied, a script replaces the legitimate address with a spoofed address. The unfortunate reality is, many users cannot recognize the different address with just a glance, and do not check the address to ensure it matches.
Bleeping Computer has reported that the trojan uses a web panel to verify the format of a clipboard inflow. In order to make sure that only crypto wallet addresses are changed, so that users don’t expect to paste everyday sentences and output a crypto wallet address.
What can user do to avoid infection?
The transmission method of Evrial is currently unknown, so there is not any concrete prevention advice at this time. Security professionals recommend that users refrain from downloading any suspicious email attachments, visiting shady websites, and granting admin permissions to any unknown software requests.
One extra step for security would be to use a computer on a non-administrative or root account. Bleeping Computer also notes that Evrial is being sold on the Dark Web for around $27, and when it is applied, Evrial applies itself to the startup directory so that it boots with the operating system.