Home Articles All About ‘Bitcoin Investment’ Phishing Campaign

All About ‘Bitcoin Investment’ Phishing Campaign

134
0

A new malspam ‘Bitcoin Investment’ phishing campaign is said to have delivered clipboard hijacker malware. Read on to know more about this…

A new malspam campaign disguised as ‘Bitcoin Investment Update’ delivers a clipboard hijacker malware in order to steal Bitcoins from victims. Researchers from My Online Security detailed the steps taken in this new phishing campaign that delivers clipboard hijackers.

Working Mechanism
‘Task.exe’ clipboard hijacker monitors the Windows Clipboard for bitcoin addresses and if any detected, it will swap it for the bitcoin address owned by the attacker.

The new malspam contains an attachment that when executed will install a Windows clipboard hijacker that attempts to steal Bitcoins from its victims. “SPAM Email” — This archive includes a JSE file, which is a JavaScript file, that contains a Base64 encoded executable stored in the file as shown below. When the JSE file is executed, it will decode the Base64 encoded file, save it to %Temp%\rewjavaef.exe, and then execute it.

Once the attachment file is executed, a file called Task.exe will be saved to the %AppData%\svchost.exe\ folder. To make sure that the Task.exe is started every time a victim logs into Windows, a startup file called svchost.exe.vbs will be created in the user’s Startup folder. The Task.exe program is actually a clipboard hijacker malware that is based off the open source BitPing program created by a security researcher.  A cryptocurrency clipboard hijacker is malware that monitors the Windows Clipboard for certain data, and when detected, swaps it with different data that the attacker wants.

Working Sequence
Researchers from My Online Security detailed the steps taken in this new phishing campaign that delivers clipboard hijackers.

• The phishing emails include malicious JSE file attachment, which is a JavaScript file that contains a Base64 encoded executable.
• Once recipients open the attachment, the JSE file gets executed.
• Once the JSE file is executed, it will decode the Base64 encoded executable file and save it to %Temp%\rewjavaef.exe.
• Once the Base64 file is executed, ‘Task.exe’ file will be saved to %AppData%\svchost.exe\ folder and executed.
• ‘Task.exe’ file is the actual payload, the clipboard hijacker malware that is based on the open source BitPing program.
• A startup file named ‘svchost.exe.vbs’ will be created in the user’s Startup folder to ensure the malware starts every time victims logs into Windows.

Technicalities
‘Task.exe’ clipboard hijacker monitors the Windows Clipboard for bitcoin addresses and if any detected, it will swap it for the bitcoin address (3MSghqkGW8QhHs6HD3UxNVp9SRpGvPkk5W) that is owned by the attacker.

• Since bitcoin addresses are very long and difficult to remember, users usually copy and paste the bitcoin address.
• What this malware does is that it detects the copied bitcoin address in the clipboard and replaces the address with the address owned by the attacker.
• Therefore, when users send bitcoins to the intended address, it would be sent to the address owned by the attacker.

The researchers said that “As cryptocurrency addresses are typically long and hard to remember, attackers understand that when sending bitcoins, most people will copy an address from another page, site, or program. This malware will detect the copied address in the clipboard and replace it with their own in the hopes the victim won’t notice the swap,”

Threat Mitigation
Researchers recommend users to never open any email or attachment that come from anonymous senders. Security researchers recommend users to never run attachments such as JSE, JS, VBS, CMD, PS1, EXE, and BAT files that could execute commands on computers.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

26 − 17 =