ComboJack malware steals digital payments, cryptocurrency, by modifying info saved to clipboards
ComboJack malware steals digital payments, cryptocurrency, by modifying info saved to clipboards

Researchers have discovered a new malware that steals cryptocurrency and other electronic funds by surreptitiously modifying wallet or payment information whenever victims copy it to their devices' clipboards.

Instead of pasting the same information that they just copied, victims instead unknowingly paste malicious wallet or payment information that was hard-coded into the malware; consequently, they end up sending funds to the cybercriminal instead of the intended party, explains a Mar. 5 blog post from Palo Alto Networks' Unit 42 threat team, whose researchers uncovered the threat late last month in tandem with fellow cybersecurity firm Proofpoint.

The concept behind the malware, dubbed ComboJack, is that "wallet addresses are typically long and complex, and to prevent errors, most users will opt to copy an exact string in order to prevent potential errors," state blog post co-authors and researchers Brandon Levene and Josh Grunzweig. Cybercriminals are therefore counting on infected users being inattentive when they paste the modified destination information.

According to Palo Alto, ComboJack targets four cryptocurrencies: Bitcoin, Ethereum, Litecoin and Monero. In that sense, it is very reminiscent of CryptoShuffler, another thieving malware that modifies cryptocurrency wallet information, discovered in 2017 by Kaspersky Lab. However, unlike CryptoShuffler, ComboJack also goes after digital payment systems too -- specifically, Qiwi, WebMoney (transactions in USD or rubles) and Yandex Money.

"By targeting multiple cryptocurrencies and web based wallets, the author of ComboJack appears to be hedging his or her bets on which currency will boom and which will bust," the blog post explains.

While the malware's tactic is clever, its early results don't appear impressive. While it is not possible to track the activity of all of the malicious wallets -- Monero's emphasis on privacy doesn't allow it, for instance -- the ones Palo Alto can observe have no funds in them, as of the writing of this article. "It was a pretty low-volume attack and requires quite a bit of luck on the attacker's side to properly execute, so that's likely why it has more or less been unsuccessful," Grunzweig told SC Media in an email interview.

Palo Alto and Proofpoint found the malware on Feb. 25 while examining an email-based malspam campaign targeting American and Japanese users. The email purports to come from an individual named Kim Moon, who claims that someone has lost a passport. The spam attempts to trick recipients into opening an attachment of what appears to be a PDF image of the recovered travel document.

Opening this PDF file reveals a single line of text that includes an embedded RTF file, that exploits CVE-2017-8579, an elevation of privilege vulnerability in Microsoft DirectX, to load an embedded remote object. This object, an HTA (HTML Application) file, runs a PowerShell script that commences a string of self-extracting executables (SFX) that ultimately yields the final payload of ComboJack.

ComboJack then uses the Windows tool attrib.exe to set its own attributes, allowing the malware to hides its file from the user and execute with SYSTEM level privileges, Unit 42 reports. After establishing persistence, ComboJack next begins checking the contents of the victim device's clipboard for wallet for payment information every half-second.

"Each type of wallet address follows its own, different naming convention," said Grunzweig to SC Media. "For example, a Monero wallet uses a length of 95 or 106 and starts with ‘4'. The malware is hardcoded to look for different wallet types based on its convention and if it finds it, replaces it with its own wallet information."

As Palo Alto Intelligence Director Ryan Olsen noted in a separate company blog post on Tuesday, there has been a marked increase in cybercriminal cryptomining activity over the last six months. But crypto wallet stealers have also emerged as another option for adversaries to capitalize on the cryptocurrency craze.

Of the two, cryptomining malware is generally more attractive to cybercriminals, said Grunzweig, in that it is a "more efficient monetization of attacks. On the other hand, the wallet-stealing malware, while "more hit and miss," is also more "likely to net a bigger payoff when it does hit," he added.

Patrick Wheeler, director of threat intelligence at Proofpoint, shared a similar point of view: "There are different approaches to using infected clients to steal cryptocurrencies: from a wait-and-see approach (clipboard replacing like ComboJack) to actively rifling through the filesystem (as with an information stealer) to active CPU usage using a coin mining bot," he said, in an email interview with SC Media.

"Stealing wallets can gain a lot of money from a victim, but only if they're holding cryptocurrency, so you have a small chance of success, but a potentially large payout when you do succeed. Cryptocurrency coin mining is the inverse: every single infected computer can be used to mine cryptocurrency, so it has guaranteed success but a low payout. Cybercriminals follow the money, and in this case they have a choice between a very low probability of a small return, or a very high probability of a small return."