Combojack Trojan Replaces Cryptocurrency Addresses Copied To Windows Clipboard

Combojack Trojan Replaces Cryptocurrency Addresses Copied To Windows Clipboard

Combojack Trojan Replaces Cryptocurrency

Security researchers have discovered a new malware strain that is capable of detecting when users copy a cryptocurrency address to the Windows clipboard. The malware works by replacing this address with one owned by its author.​

Named ComboJack, this malware is similar to Evrial and CryptoShuffler. The difference between ComboJack and the two is that ComboJack supports multiple cryptocurrencies, not just Bitcoin.​​

ComboJack targets multiple cryptocurrencies​

According to Palo Alto Networks, ComboJack can detect whenever the user has copied a cryptocurrency address for Bitcoin, Litecoin, Ethereum, and Monero, but also for other digital payment systems such as Qiwi, Yandex Money, and WebMoney (USD and ruble payments).​

ComboJack is under active distribution, Palo Alto said today. The company says it detected this malware as the final payload of a malspam campaign targeting Japanese and American users.​

ComboJack uses a multi-step infection chain​

The exploitation chain is quite complex, but follows the patterns seen last year with Dridex (banking trojan) and Locky (ransomware) campaigns.​

Crooks send victims an email claiming to contain a scan of a lost passport. The file attachment with this email is in PDF format.​

If the user downloads and opens this PDF, the file opens an RTF file that contains an embedded HTA object that tries to exploit the CVE-2017-8579 DirectX vulnerability.​

On successful exploitation, the HTA file contained within the RTF file contained within the PDF runs a series of PowerShell commands that download and execute a self-extracting executable (SFX).​

But the infection chain is not done. This SFX file downloads and runs a password-protected SFX that then installs ComboJack.​

ComboJack than gains boot persistence and starts scanning the Windows clipboard every half-a-second for new content. Once the user copies a string that matches a known pattern for a cryptocurrency (or payment system) address, ComboJack replaces that address with one from an internal list.​

Users are advised to double-check that the cryptocurrency payment addresses they copy-pasted are identical in the source and destination locations.​

Leave a Reply