Malware detected on 300,000 computers spoofing addresses in the buffer

[Jollier]

Researchers have discovered a new malware campaign that spreads ClipboardWalletHijacker, which intercepts information in the clipboard. At the moment, this malware has already infected more than 300,000 computers.

A new malicious campaign was discovered by Qihoo 360 experts, most of the victims of this cyberattack live in China.

“Cybersecurity Center 360 has recorded a new malicious campaign that distributes clipboard-grabbing software - ClipboardWalletHijacker. The malware monitors the clipboard activity to determine if it contains a Bitcoin or Ethereum account address, ”the company's report says.
“When such an address is found, the malware changes it to its own, which allows the transfer of funds to be redirected there. More than 300,000 computers were affected by this malware sample. "

The ClipboardWalletHijacker tactic is far from new; it's worth remembering at least the Evrial malware, which also spoofed bitcoin addresses in the Windows clipboard.

Experts addresses noted several that ClipboardWalletHijacker substitutes for legitimate, custom ones:

• BTC: 1FoSfmjZJFqFSsD2cGXuccM9QMMa28Wrn1
• BTC: 19gdjoWaE8i9XPbWoDbixev99MvvXUSNZL
• ETH: 0x004D3416DA40338fAf9E772388A93fAF5059bFd5

The experts also shared a piece of code that is responsible for spoofing the Ethereum wallet address:

The links below can be used to view the balance of addresses belonging to cybercriminals:

• https://blockchain.info/address/1FoSfmjZJFqFSsD2cGXuccM9QMMa28Wr
• https://blockchain.info/address/19gdjoWaE8i9XPbWoDbixev99MvvXUSNZL
• https://etherscan.io/address/0x004D3416DA40338fAf9E772388A93fAF5059bFd5

The attackers stole a total of 0.12434321 BTC - somewhere around $ 800.