Combojack Trojan Replaces Cryptocurrency Addresses Copied To Windows Clipboard
Combojack Trojan Replaces Cryptocurrency
Security researchers have discovered a new malware strain that is capable of detecting when users copy a cryptocurrency address to the Windows clipboard. The malware works by replacing this address with one owned by its author.
Named ComboJack, this malware is similar to Evrial and CryptoShuffler. The difference between ComboJack and the two is that ComboJack supports multiple cryptocurrencies, not just Bitcoin.
ComboJack targets multiple cryptocurrencies
According to Palo Alto Networks, ComboJack can detect whenever the user has copied a cryptocurrency address for Bitcoin, Litecoin, Ethereum, and Monero, but also for other digital payment systems such as Qiwi, Yandex Money, and WebMoney (USD and ruble payments).
ComboJack is under active distribution, Palo Alto said today. The company says it detected this malware as the final payload of a malspam campaign targeting Japanese and American users.
ComboJack uses a multi-step infection chain
The exploitation chain is quite complex, but follows the patterns seen last year with Dridex (banking trojan) and Locky (ransomware) campaigns.
Crooks send victims an email claiming to contain a scan of a lost passport. The file attachment with this email is in PDF format.
If the user downloads and opens this PDF, the file opens an RTF file that contains an embedded HTA object that tries to exploit the CVE-2017-8579 DirectX vulnerability.
On successful exploitation, the HTA file contained within the RTF file contained within the PDF runs a series of PowerShell commands that download and execute a self-extracting executable (SFX).
But the infection chain is not done. This SFX file downloads and runs a password-protected SFX that then installs ComboJack.
ComboJack than gains boot persistence and starts scanning the Windows clipboard every half-a-second for new content. Once the user copies a string that matches a known pattern for a cryptocurrency (or payment system) address, ComboJack replaces that address with one from an internal list.
Users are advised to double-check that the cryptocurrency payment addresses they copy-pasted are identical in the source and destination locations.