A new form of malware steals Bitcoin Litecoin, Monero, and Ethereum cryptocurrency by replacing addresses of cryptocurrency transactions with the address of a different cryptocurrency wallet controlled by the attacker.
Dubbed ComboJack after how it attempts to steal multiple currencies, the cyber criminal campaign relies on victims not checking the destination wallet of the transaction before finalising it.
It sounds simple and easy to spot, but the large numbers of spam emails used to distribute the malware mean the attackers are finding success in stealing cryptocurrency from users.
The malware also targets non-cryptocurrency digital payment systems, including WebMoney and Yandex Money.
Cyber security researchers at Palo Alto Networks discovered the campaign after observing an email phishing campaign targeting American and Japanese users. The emails don't address the potential victim by name, but claim a passport has been misplaced and ask the user to open a document containing a scanned version of it and to 'check if you know the owner'.
If the victim opens the file, they're encouraged to allow an embedded file to run in order to see the document. By allowing this they enable an embedded RTF file rigged with the CVE-2017-8759 exploit allowing the attackers to inject code and run PowerShell commands which are used to download and execute ComboJack.
Researchers note that the malicious emails and malware distribution techniques are similar to some used by Dridex trojan and Locky ransomware campaigns during 2017, both of which were highly successful, despite the simple tactics.
Once installed on a machine, ComboJack uses built-in Windows tool, attrib.exe allowing it to both hide from the user and execute processes with high level privileges.
From then on it, ComboJack enters into a loop in which it checks the content of the clipboard every half a second to check if the victim has copied wallet information about cryptocurrencies including Bitcoin Litecoin, Monero, and Ethereum.
If a wallet is discovered, ComboJack will replace the address with one which belongs to the attackers in an effort to make the victim accidentally send money to the wrong wallet.
"This tactic relies on the fact that wallet addresses are typically long and complex and to prevent errors, most users will opt to copy an exact string in order to prevent potential errors," said Palo Alto Networks researchers Brandon Levene and Josh Grunzweig.
ComboJack shares similarities with a previously uncovered form of malware, CryptoShuffler, although there's no indication that the two are directly related. Palo Alto Networks told ZDNet there's no indication as to who is behind ComboJack.