Skip to main content

Hackers target Windows clipboard to steal cryptocurrency wallet addresses

New email-based malware dubbed as ComboJack is targeting Japanese and American web surfers to steal cryptocurrency during transactions. Once installed and lurking in the background, the malware grabs the victim’s long cryptocurrency wallet address stored in the Windows clipboard. Due to their extreme length, many users simply copy and paste that string of characters, and that is when ComboJack attacks. 

Discovered by researchers at the Palo Alto Networks, it’s a variant of a cryptocurrency stealer called CryptoJack. It grabs the address of a victim’s cryptocurrency wallet coped to the clipboard and replaces it with the address of the hacker’s wallet. Thus, victims believe they are transferring digital currency to their personal virtual wallets when instead they’re unknowingly pasting a different destination into the transaction prior to completion. 

Recommended Videos

CryptoShuffler was the first malware to use this stealing agent in 2017, but solely focused on Bitcoin. In 2018, ComboJack arrives to target not only Bitcoin investors, but Ethereum, Litecoin, Monero, and many other digital currencies. But the route this malware takes can be avoided by simply not opening an emailed attachment from untrusted sources.  

According to the report, victims receive emails regarding a lost passport. The shady message requests that the victim view an attachment that’s supposedly a scanned passport in a PDF format for identification purposes. But once victims open the PDF, they are presented with a single line to open an embedded document. Inside this secondary file is an embedded remote object that attacks a security hole in Windows. 

“An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory,” Microsoft’s database states. “An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” 

The embedded remote object downloads a two-part file, one part containing a self-extracting executable, and a second part containing password-protected components to create and install the final payload: ComboJack. The malware then uses a built-in Windows tool to give it system-level privileges, edits the registry to make sure it remains running in the background and enters into an infinite loop. ComboJack then checks the system clipboard every half second for a cryptocurrency wallet address. 

So why aren’t cryptocurrency users simply manually entering their wallet addresses? Because it’s a pain. Ethereum addresses are 42 characters long while Bitcoin uses 34 characters. The longest is likely Monero, which relies on addresses with characters counts between 95 and 106. This is why users typically copy and paste their addresses, which serves as a virtual gold mine for hackers. 

While the suggestion of manually entering addresses during transactions is out of the question, opening files attached to emails sent from unknown parties is an extremely bad idea. In this case, the big clue starts with the actual poorly written message along with its suspicious attachment. But even after opening the PDF, the request to open another file should be another huge red flag.

Kevin Parrish
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
Prime Day is over, but this powerful Dell laptop is still at its lowest price
The Dell Vostro 3530 laptop on a white background.

Prime Day is already over, but that doesn't mean that there are no more laptop deals for you to shop on Amazon. Here's one that caught our eye -- the Dell Vostro 3530 with 32GB of RAM for its lowest-ever price of $649, following a 28% discount on its original price of $899. This limited-time offer of $250 off may not last much longer though, so if you want to take advantage of this bargain, we highly recommend that you finalize your purchase for this device as soon as you can.

Buy Now

Read more
This Lenovo all-in-one computer is 30% off even though Prime Day has ended
The Lenovo V100 All-in-One Desktop Computer on a white background.

Even though Prime Day is already finished, there are still some excellent desktop computer deals on Amazon. If you don't have much space, or you just want to avoid clutter, you should take a look at the Lenovo V100 All-in-One PC. From its original price of $800, it's all the way down to just $560 following a 30% discount. The offer for this machine will only be available for a limited time though, so you need to act fast and proceed with the transaction immediately to secure the savings of $240.

Buy Now

Read more
The new Reachy Mini robot can let kids turn play into innovation
The Reachy Mini robot.

The Reachy Mini is an exciting new desktop robot aimed primarily at developers, educators, students, and enthusiasts, or basically anyone interested in creative coding.

There are actually two of them -- Reachy Mini Lite ($299) and Reachy Mini Wireless ($449) -- and both were developed by the prominent AI platform Hugging Face following its recent acquisition of Pollen Robotics. 

Read more