ClipboardWalletHijacker miner hijacks your Ether and Bitcoin transaction, over 300,000 computers have been infected

Pierluigi Paganini June 17, 2018

Researchers uncovered a new malware campaign spreading a clipboard hijacker dubbed ClipboardWalletHijacker that has already infected over 300,000 computers.

Security researchers from Qihoo 360 Total Security have spotted a new malware campaign spreading a clipboard hijacker, tracked as ClipboardWalletHijacker, that has already infected over 300,000 computers. Most of the victims are located in Asia, mainly China.

“Recently, 360 Security Center discovered a new type of actively spreading CryptoMiner, ClipboardWalletHijacker. The Trojan monitors clipboard activity to detect if it contains the account address of Bitcoin and Ethereum.” reads the analysis published by the company.

“It tampers with the receiving address to its own address to redirect the cryptocurrency to its own wallet. This kind of Trojans has been detected on more than 300 thousand computers within a week.”

Modus operandi for ClipboardWalletHijacker is not a novelty, the malware is able to monitor the Windows clipboard looking for Bitcoin and Ethereum addresses and replace them with the address managed by the malware’s authors.

In March 2018, researchers at Palo Alto Networks discovered a malware dubbed ComboJack that is able of detecting when users copy a cryptocurrency address and alter clipboards to steal cryptocurrencies and payments.

In a similar way, ClipboardWalletHijacker aims at hijacking BTC and ETH transactions.

Experts observed the malware using the following addresses when replacing legitimate ones detected in users’ clipboards:

  • BTC: 1FoSfmjZJFqFSsD2cGXuccM9QMMa28Wrn1
  • BTC: 19gdjoWaE8i9XPbWoDbixev99MvvXUSNZL
  • ETH: 0x004D3416DA40338fAf9E772388A93fAF5059bFd5
below the function the replace the legitimate Ethereum wallet address with the attackers’ one:
ClipboardWalletHijacker

By replacing the address with the following one: “0x004D3416DA40338fAf9E772388A93fAF5059bFd5” the hackers have successfully hijacked 46 transactions.

Below the balances of these addresses:

Hackers have stolen a total 0.12434321 BTC from eight transactions and no Ether, for a total of around $800.

Recently Qihoo discovered many other miners, such as TaksHostMiner and WagonlitSwfMiner that infected dozens of thousands of machines.

“Recently, we have found that a lot of CryptoMiner Trojans are using this technique to steal victims’ cryptocurrencies.” concludes the company. “We strongly recommend users to enable antivirus software while installing new applications. Users are also recommended to run virus scan with 360 Total Security to avoid falling victim to CryptoMiner.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – ClipboardWalletHijacker, cryptocurrency)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment