Security researchers have discovered a new malware strain that is capable of detecting when users copy a cryptocurrency address to the Windows clipboard. The malware works by replacing this address with one owned by its author.
According to Palo Alto Networks, ComboJack can detect whenever the user has copied a cryptocurrency address for Bitcoin, Litecoin, Ethereum, and Monero, but also for other digital payment systems such as Qiwi, Yandex Money, and WebMoney (USD and ruble payments).
ComboJack is under active distribution, Palo Alto said today. The company says it detected this malware as the final payload of a malspam campaign targeting Japanese and American users.
The exploitation chain is quite complex, but follows the patterns seen last year with Dridex (banking trojan) and Locky (ransomware) campaigns.
Crooks send victims an email claiming to contain a scan of a lost passport. The file attachment with this email is in PDF format.
If the user downloads and opens this PDF, the file opens an RTF file that contains an embedded HTA object that tries to exploit the CVE-2017-8579 DirectX vulnerability.
On successful exploitation, the HTA file contained within the RTF file contained within the PDF runs a series of PowerShell commands that download and execute a self-extracting executable (SFX).
But the infection chain is not done. This SFX file downloads and runs a password-protected SFX that then installs ComboJack.
ComboJack than gains boot persistence and starts scanning the Windows clipboard every half-a-second for new content. Once the user copies a string that matches a known pattern for a cryptocurrency (or payment system) address, ComboJack replaces that address with one from an internal list.
Users are advised to double-check that the cryptocurrency payment addresses they copy-pasted are identical in the source and destination locations. The Palo Alto report includes IOCs. Below is a table with the addresses used by ComboJack crew.
|Checks for this criteria||Replaces with||Wallet Type|
|Length of 42 and starts with a ‘0’||0xE44598AB74425450692F7b3a9f898119968da8Ad||Ethereum|
|Length of 106 and starts with ‘4’||4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBE||Monero, although the length of the replacement string isn’t long enough. Perhaps it was an error by the bad guy. Monero addresses need to be either 95 or 106 characters|
|Length of 34 and starts with ‘1’||1LGskAycxvcgh6iAoigcvbwTtFjSfdod2x||Bitcoin|
|Length of 34 and starts with ‘L’||LYB56d6TeMg6VmahcgfTZSALAQRcNRQUV||Litecoin|
|Length of 11 and starts with ‘8’||79965017478||Qiwi|
|Length of 13 and starts with ‘R’||R064565691369||WebMoney (Rubles)|
|Length of 13 and starts with ‘Z’||Z152913748562||WebMoney (USD)|
|Length of 13 and starts with ‘E’||88888888888888888888888888888888888888888888888888||Unknown|
|Length of 15 and starts with ‘4100’||410014474125403||Yandex Money|