A new email-based cryptocurrency-stealing malware has been discovered by the researchers at the Palo Alto Networks. Dubbed as ComboJack, it’s a variant of a cryptocurrency stealer named CryptoJack, which has been stealing cryptocurrencies from American and Japanese web surfers by distributing a malware via email spam campaign.
Replacing clipboard address
ComboJack replaces the victim’s long cryptocurrency wallet address stored in the Windows clipboard. While doing the transaction, most of the users simply copy and paste the address due to its length. As the address is already replaced with the hacker’s address, victims unknowingly transfer the digital currency to the attacker’s wallet instead of their actual address.
The attack method relies on the same strategy used by CryptoShuffler, the malware that successfully stole $150,000 from cryptocurrency wallet in 2017.
How it starts attacking
Victims first receive a malicious email about a lost passport. The email comes with a PDF attachment, which supposedly contains a scanned copy of a passport. Once the recipients open the PDF, it shows a request to open another file, which is basically an embedded RTF file carrying an embedded remote object.
The remote object then downloads a two-part file. One part contains a self-extracting executable, while the other contains password-protected materials that generate and install ComboJack. Using a built-in Windows tool, the malware then stays on the device, hidden from the users. It then creates an infinite loop to keep checking on the system clipboard every half second for a cryptocurrency wallet address.
Unlike CryptoShuffler that only focused on Bitcoin, ComboJack targets a broad range of currencies such as Ethereum, Litecoin, and Monero. Besides, it aims funds transferred through Yandex Money, WebMoney, and Qiwi.
You can avoid this attack by simply not opening an email attachment from unknown sources. Also, the cryptocurrency users are highly recommended to use hardware wallets instead of online wallets to store their funds.