ComboJack malware tries to steal your cryptocurrency by changing the data in your clipboard

This newly uncovered malware is delivered by phishing emails - and hopes users don't bother to check which wallet they sending money to.
Written by Danny Palmer, Senior Writer

A new form of malware steals Bitcoin Litecoin, Monero, and Ethereum cryptocurrency by replacing addresses of cryptocurrency transactions with the address of a different cryptocurrency wallet controlled by the attacker.

Dubbed ComboJack after how it attempts to steal multiple currencies, the cyber criminal campaign relies on victims not checking the destination wallet of the transaction before finalising it.

It sounds simple and easy to spot, but the large numbers of spam emails used to distribute the malware mean the attackers are finding success in stealing cryptocurrency from users.

The malware also targets non-cryptocurrency digital payment systems, including WebMoney and Yandex Money.

Cyber security researchers at Palo Alto Networks discovered the campaign after observing an email phishing campaign targeting American and Japanese users. The emails don't address the potential victim by name, but claim a passport has been misplaced and ask the user to open a document containing a scanned version of it and to 'check if you know the owner'.


ComboJack phishing email lure for dropping the malware.

Image: Palo Alto Networks

If the victim opens the file, they're encouraged to allow an embedded file to run in order to see the document. By allowing this they enable an embedded RTF file rigged with the CVE-2017-8759 exploit allowing the attackers to inject code and run PowerShell commands which are used to download and execute ComboJack.

See also: What is malware? Everything you need to know about viruses, trojans and malicious software

Researchers note that the malicious emails and malware distribution techniques are similar to some used by Dridex trojan and Locky ransomware campaigns during 2017, both of which were highly successful, despite the simple tactics.

Once installed on a machine, ComboJack uses built-in Windows tool, attrib.exe allowing it to both hide from the user and execute processes with high level privileges.

From then on it, ComboJack enters into a loop in which it checks the content of the clipboard every half a second to check if the victim has copied wallet information about cryptocurrencies including Bitcoin Litecoin, Monero, and Ethereum.

If a wallet is discovered, ComboJack will replace the address with one which belongs to the attackers in an effort to make the victim accidentally send money to the wrong wallet.

"This tactic relies on the fact that wallet addresses are typically long and complex and to prevent errors, most users will opt to copy an exact string in order to prevent potential errors," said Palo Alto Networks researchers Brandon Levene and Josh Grunzweig.

See also: What is bitcoin? Here's everything you need to know [CNET]

ComboJack shares similarities with a previously uncovered form of malware, CryptoShuffler, although there's no indication that the two are directly related. Palo Alto Networks told ZDNet there's no indication as to who is behind ComboJack.

As ComboJack relies on exploiting a vulnerability which was patched by Microsoft in September 2017, one way users can avoid becoming a victim is to ensure that their operating system is up to date.

Users can also ensure that they don't fall victim to the malware by being wary of unexpected emails and strange attachments - especially if the message isn't directly addressed to them.


Editorial standards