New malware ComboJack steals cryptocurrency by altering wallet addresses on users’ copy-paste clipboards.
Researchers from AdGuard warned us that cryptocurrency malware would be found in “the most unexpected places” in 2018, noting that businesses both legitimate and illegitimate were implementing scripts in websites, apps, games and extension that utilized users’ computing power for crypto mining—some surreptitiously and others in plain sight.
What is ComboJack?
ComboJack is a trojan similar to CryptoShuffler which monitors the clipboard (where data resides when a user cuts, copies, and pastes) for wallet addresses and replaces pasted text with the wallet address of the attacker. Found by Palo Alto Networks, the team discovered that ComboJack understands which form of currency a wallet address is using by the length of the text and the starting letter or number. ComboJack not only targets cryptocurrency wallets, but also Yandex and WebMoney in USD and rubles.
Some users have received the malware via malspam campaigns urging users to open a PDF in order to identify whether or not they know the owner of a supposed lost passport.
Luckily, the exploit being used by ComboJack has previously been patched by Microsoft, so users are able to protect themselves by updating their operating systems.
Other Known Cryptocurrency-Related Malware
EternalBlue was leaked by the hacking group called Shadow Brokers. EternalBlue was an exploit meant for use by the NSA that spiraled out of control once it saw the light of day. It was this exploit that formed the basis for WannaCry, a ransomware cryptoworm that attacked Microsoft computers worldwide, including major hospitals in England and Scotland.
This same leaked NSA exploit is used to gain access to computers to turn them into slaves for the Smominru / Ismo botnet, stealing computer resources for the purpose of mining Monero, a popular cryptocurrency.
CryptoShuffler is a similar malware which monitors a computer’s clipboard for wallet addresses in order to replace them with one belonging to the attacker. It targets bitcoin, ethereum, zcash, monero, dash, dogecoin, and more.
This is by no means an all-encompassing list of all cryptocurrency malware, but only a few notable examples from the last couple of years.