A new malspam ‘Bitcoin Investment’ phishing campaign is said to have delivered clipboard hijacker malware. Read on to know more about this…
A new malspam campaign disguised as ‘Bitcoin Investment Update’ delivers a clipboard hijacker malware in order to steal Bitcoins from victims. Researchers from My Online Security detailed the steps taken in this new phishing campaign that delivers clipboard hijackers.
‘Task.exe’ clipboard hijacker monitors the Windows Clipboard for bitcoin addresses and if any detected, it will swap it for the bitcoin address owned by the attacker.
Once the attachment file is executed, a file called Task.exe will be saved to the %AppData%\svchost.exe\ folder. To make sure that the Task.exe is started every time a victim logs into Windows, a startup file called svchost.exe.vbs will be created in the user’s Startup folder. The Task.exe program is actually a clipboard hijacker malware that is based off the open source BitPing program created by a security researcher. A cryptocurrency clipboard hijacker is malware that monitors the Windows Clipboard for certain data, and when detected, swaps it with different data that the attacker wants.
Researchers from My Online Security detailed the steps taken in this new phishing campaign that delivers clipboard hijackers.
• Once recipients open the attachment, the JSE file gets executed.
• Once the JSE file is executed, it will decode the Base64 encoded executable file and save it to %Temp%\rewjavaef.exe.
• Once the Base64 file is executed, ‘Task.exe’ file will be saved to %AppData%\svchost.exe\ folder and executed.
• ‘Task.exe’ file is the actual payload, the clipboard hijacker malware that is based on the open source BitPing program.
• A startup file named ‘svchost.exe.vbs’ will be created in the user’s Startup folder to ensure the malware starts every time victims logs into Windows.
‘Task.exe’ clipboard hijacker monitors the Windows Clipboard for bitcoin addresses and if any detected, it will swap it for the bitcoin address (3MSghqkGW8QhHs6HD3UxNVp9SRpGvPkk5W) that is owned by the attacker.
• Since bitcoin addresses are very long and difficult to remember, users usually copy and paste the bitcoin address.
• What this malware does is that it detects the copied bitcoin address in the clipboard and replaces the address with the address owned by the attacker.
• Therefore, when users send bitcoins to the intended address, it would be sent to the address owned by the attacker.
The researchers said that “As cryptocurrency addresses are typically long and hard to remember, attackers understand that when sending bitcoins, most people will copy an address from another page, site, or program. This malware will detect the copied address in the clipboard and replace it with their own in the hopes the victim won’t notice the swap,”
Researchers recommend users to never open any email or attachment that come from anonymous senders. Security researchers recommend users to never run attachments such as JSE, JS, VBS, CMD, PS1, EXE, and BAT files that could execute commands on computers.