Crooks made more than $560K with a simple clipboard hijacker

Avast researchers analyzed the activity of a simple cryptocurrency malware dubbed HackBoss that allowed its operators to earn over $560K.

While the value of major cryptocurrencies continues to increase, cybercriminals and malware authors focus their efforts on cryptocurrency miners and malicious code that could empty the wallets of the victims.

The antivirus company Avast analyzed the case of a simple malware dubbed HackBoss and how it allowed its operators to earn more $560K worth of cryptocurrency since November 2018.

The tools were published on a Telegram channel named Hack Boss that was created on November 26, 2018, and has over 2,500 subscribers. According to the experts, threat actors behind the channel publish an average of 7 posts per month to promote fake cracking or hacking applications, and each post was viewed on average 1,000 times.

The operators distributed the tainted hacking tools on a Telegram channel, once the wannabe hackers installed them they infected their Windows systems.

“Authors of the HackBoss malware own a channel calledHack Boss (hence the name of the malware family itself) which is promoted as a channel to provide “The best software for hackers (hack bank / dating / bitcoin)”. The software that is supposed to be published on this channel varies from bank and social site crackers to various cryptocurrency wallet and private key crackers or gift card code generators.” reads the post published by AVAST. “However, although each promoted application is promised to be some hacking or cracking application, it never is. The truth is quite different — each published post contains only a cryptocurrency-stealing malware concealed as a hacking or cracking application. What is more, no application posted on this channel delivers promised behavior: all of them are fake.”

The tainted hacking tools were installing a clipboard hijacker on the victims’ systems that work by replacing cryptocurrency addresses copied from the users’ text with the attacker’s ones to hijack legitimate transactions. Most of the victims of the Hack Boss malware were located in Nigeria, the US, Russia, and India, which are the countries with the largest hacking communities with the greatest number of wannabe cybercriminals.

“The functionality of the malicious payload is fairly simple. It regularly checks the clipboard content for a format of a cryptocurrency wallet and, if a wallet address is present there, it replaces it with one of its own wallets.” continues the analysis. “The malicious payload keeps running on the victim’s computer even after the application’s UI is closed. If the malicious process is terminated — for example via the Task manager — it can then get triggered again on startup or by the scheduled task in the next minute.”

The analysis of the malware revealed that it included a list of more than 100 cryptocurrency addresses (from Bitcoin, Ethereum, Dogecoin, Litecoin, and Monero) under the control of the attackers.

The attackers also managed a blog (cranhan.blogspot[.]com) where it published posts promoting their tainted applications, and YouTube channels to share promo videos. Experts pointed out that the gang also published various post advertisements on public forums and discussions.

Experts pointed out that the malware also hijacks Monero addresses, which suggests that the threat actors may have earned much more than $560,000.

If you want to know more about HackBoss give a look at the AVAST report that also includes indicators of compromise (IOCs).

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, cryptocurrency)

[adrotate banner=”5″]

[adrotate banner=”13″]