ComboJack malware

Security researchers have discovered a new malware strain that is capable of detecting when users copy a cryptocurrency address to the Windows clipboard. The malware works by replacing this address with one owned by its author.

Named ComboJack, this malware is similar to Evrial and CryptoShuffler. The difference between ComboJack and the two is that ComboJack supports multiple cryptocurrencies, not just Bitcoin.

ComboJack targets multiple cryptocurrencies

According to Palo Alto Networks, ComboJack can detect whenever the user has copied a cryptocurrency address for Bitcoin, Litecoin, Ethereum, and Monero, but also for other digital payment systems such as Qiwi, Yandex Money, and WebMoney (USD and ruble payments).

ComboJack is under active distribution, Palo Alto said today. The company says it detected this malware as the final payload of a malspam campaign targeting Japanese and American users.

ComboJack uses a multi-step infection chain

The exploitation chain is quite complex, but follows the patterns seen last year with Dridex (banking trojan) and Locky (ransomware) campaigns.

Crooks send victims an email claiming to contain a scan of a lost passport. The file attachment with this email is in PDF format.

If the user downloads and opens this PDF, the file opens an RTF file that contains an embedded HTA object that tries to exploit the CVE-2017-8579 DirectX vulnerability.

On successful exploitation, the HTA file contained within the RTF file contained within the PDF runs a series of PowerShell commands that download and execute a self-extracting executable (SFX).

But the infection chain is not done. This SFX file downloads and runs a password-protected SFX that then installs ComboJack.

ComboJack than gains boot persistence and starts scanning the Windows clipboard every half-a-second for new content. Once the user copies a string that matches a known pattern for a cryptocurrency (or payment system) address, ComboJack replaces that address with one from an internal list.

Users are advised to double-check that the cryptocurrency payment addresses they copy-pasted are identical in the source and destination locations. The Palo Alto report includes IOCs. Below is a table with the addresses used by ComboJack crew.

Checks for this criteria Replaces with Wallet Type
Length of 42 and starts with a ‘0’ 0xE44598AB74425450692F7b3a9f898119968da8Ad Ethereum
Length of 106 and starts with ‘4’ 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBE Monero, although the length of the replacement string isn’t long enough. Perhaps it was an error by the bad guy. Monero addresses need to be either 95 or 106 characters
Length of 34 and starts with ‘1’ 1LGskAycxvcgh6iAoigcvbwTtFjSfdod2x Bitcoin
Length of 34 and starts with ‘L’ LYB56d6TeMg6VmahcgfTZSALAQRcNRQUV Litecoin
Length of 11 and starts with ‘8’ 79965017478 Qiwi
Length of 13 and starts with ‘R’ R064565691369 WebMoney (Rubles)
Length of 13 and starts with ‘Z’ Z152913748562 WebMoney (USD)
Length of 13 and starts with ‘E’ 88888888888888888888888888888888888888888888888888 Unknown
Length of 15 and starts with ‘4100’ 410014474125403 Yandex Money

Related Articles:

Cybercriminals Go Phishing For Jaxx Wallet Users

Coinhive Raking In Over $250,000 per Month From In-Browser Cryptomining

Built-in Ethereum Payments Coming to Opera Browser for PC

KickICO Platform Loses $7.7 Million in Recent Hack

Google Removes Real Ethereum Wallet From Web Store but Leaves Fake One Alone