CryptoClipWatcher, our new tool against crypto clipboard hijacking techniques

ElevenPaths    17 July, 2018
Since 2017, this technique is becoming quite popular. Cryptocurrency in general is a new target for malware, and mining Bitcoins is not profitable anymore in regular computers (maybe Monero is). But, targeting the clipboard to steal cryptocurrency is a new, easy and interesting way that malware creators are exploiting. We have created a simple tool that watches your clipboard to alert you if the destination cryptocurrency address changes.

CryptoClipWatcher tool cybersecurity

By the end of 2017, malware creators launched Cryptoshuffle. It was a malware able to hijack the clipboard and modify the cryptocoin address in it. Poisoning clipboard was nothing new, but this was one of the first times that attackers used it as a way to steel bitcoins, modifying the destination address of the transaction. A bit later, someone saw some business in it and started to sell the platform itself “as a service” calling it “Evrial“. That was around the beginning of 2018 when Cryptoshuffle started to “disappear” and Evrial saw light. It was a .NET malware able to steal passwords from browsers, FTP clients, Pidgin and, the best part, able to modify the clipboard on the fly and change any cryptocurrency address to whatever address the attacker wanted to. So, the malware is checking the format of whatever is in the clipboard. If the victims copies for example a Bitcoin or Litecoin address, it is quickly replaced by another, on the fly and dynamically (the new address is requested to a server).

In March, ESET discovered that there was some software hosted for years in that used this technique.

Aside, not that long ago, ElevenPaths analyzed N4O botnet, which, among other very interesting techniques, used clipboard hijacking as a way to steal bitcoins, although it was focused in banking.

Since then, we have seen some more examples, like this sample that monitored 2.3 million addresses and replaced them if they were in the clipboard. We know, this makes no sense since it could just use a regular expression and monitor them all but this is how the malware works.

This other sample, called ClipboardWalletHijacker, did that. But, interestingly, it distinguished between the day of the month. If the current date was earlier than 8th of the month, it replaced the address to “19gdjoWaE8i9XPbWoDbixev99MvvXUSNZL”. Otherwise, used “1FoSfmjZJFqFSsD2cGXuccM9QMMa28Wrn1” instead.

This ctrl-c and ctrl-v way of hijacking has become popular even in “traditional” Trojan bankers. They inject javascript into the bank webpages implementing some quick keyboard shortcuts in the computer and modifying the legitimate webpage. This malware sets the clipboard of the victim with some malicious javascript, opens the developer console of the target web, and pastes there the javascript. It even works pasting javascript into the address bar.

Introducing CryptoClipWatcher

This a very very simple program, still in beta phase. Install it and it will check if, once you have copied a cryptocurrency wallet or address into your clipboard, it is modified before you replace it from your clipboard. If so, a warning will pop up. If you did it on purpose, you may add that address to a list that the program will remember, so it does not disturb you anymore with that particular wallet.
This is pretty much it. Of course, we have implemented some security checks so the malware (if it is aware of the tool) has to elevate privileges to kill the watcher).

Here is a little video that explains how it works.

You can download it from here.

This a preliminary beta version that we plan to improve. We will try to make it easier to use and even more secure with each version. For you to be up to date as soon as possible, the program will check for updates everytime is run. We have great plans for it!

Please send us improves or bugs if you find them to

Innovation and laboratory

Leave a Reply

Your email address will not be published. Required fields are marked *