By the end of 2017, malware creators launched Cryptoshuffle. It was a malware able to hijack the clipboard and modify the cryptocoin address in it. Poisoning clipboard was nothing new, but this was one of the first times that attackers used it as a way to steel bitcoins, modifying the destination address of the transaction. A bit later, someone saw some business in it and started to sell the platform itself “as a service” calling it “Evrial“. That was around the beginning of 2018 when Cryptoshuffle started to “disappear” and Evrial saw light. It was a .NET malware able to steal passwords from browsers, FTP clients, Pidgin and, the best part, able to modify the clipboard on the fly and change any cryptocurrency address to whatever address the attacker wanted to. So, the malware is checking the format of whatever is in the clipboard. If the victims copies for example a Bitcoin or Litecoin address, it is quickly replaced by another, on the fly and dynamically (the new address is requested to a server).
Aside, not that long ago, ElevenPaths analyzed N4O botnet, which, among other very interesting techniques, used clipboard hijacking as a way to steal bitcoins, although it was focused in banking.
Since then, we have seen some more examples, like this sample that monitored 2.3 million addresses and replaced them if they were in the clipboard. We know, this makes no sense since it could just use a regular expression and monitor them all but this is how the malware works.
This other sample, called ClipboardWalletHijacker, did that. But, interestingly, it distinguished between the day of the month. If the current date was earlier than 8th of the month, it replaced the address to “19gdjoWaE8i9XPbWoDbixev99MvvXUSNZL”. Otherwise, used “1FoSfmjZJFqFSsD2cGXuccM9QMMa28Wrn1” instead.
This a very very simple program, still in beta phase. Install it and it will check if, once you have copied a cryptocurrency wallet or address into your clipboard, it is modified before you replace it from your clipboard. If so, a warning will pop up. If you did it on purpose, you may add that address to a list that the program will remember, so it does not disturb you anymore with that particular wallet.
This is pretty much it. Of course, we have implemented some security checks so the malware (if it is aware of the tool) has to elevate privileges to kill the watcher).
Here is a little video that explains how it works.
You can download it from here.
This a preliminary beta version that we plan to improve. We will try to make it easier to use and even more secure with each version. For you to be up to date as soon as possible, the program will check for updates everytime is run. We have great plans for it!
Please send us improves or bugs if you find them to firstname.lastname@example.org.