Security researchers have discovered a new malware strain that is capable of detecting when users copy a cryptocurrency address to the Windows clipboard. The malware works by replacing this address with one owned by its author.​

​

Named ComboJack, this malware is similar to Evrial and CryptoShuffler. The difference between ComboJack and the two is that ComboJack supports multiple cryptocurrencies, not just Bitcoin.​​

ComboJack targets multiple cryptocurrencies​

According to Palo Alto Networks, ComboJack can detect whenever the user has copied a cryptocurrency address for Bitcoin, Litecoin, Ethereum, and Monero, but also for other digital payment systems such as Qiwi, Yandex Money, and WebMoney (USD and ruble payments).​

​

ComboJack is under active distribution, Palo Alto said today. The company says it detected this malware as the final payload of a malspam campaign targeting Japanese and American users.​

ComboJack uses a multi-step infection chain​

The exploitation chain is quite complex, but follows the patterns seen last year with Dridex (banking trojan) and Locky (ransomware) campaigns.​

​

Crooks send victims an email claiming to contain a scan of a lost passport. The file attachment with this email is in PDF format.​

​

If the user downloads and opens this PDF, the file opens an RTF file that contains an embedded HTA object that tries to exploit the CVE-2017-8579 DirectX vulnerability.​

​

On successful exploitation, the HTA file contained within the RTF file contained within the PDF runs a series of PowerShell commands that download and execute a self-extracting executable (SFX).​

​

But the infection chain is not done. This SFX file downloads and runs a password-protected SFX that then installs ComboJack.​

​

ComboJack then gains boot persistence and starts scanning the Windows clipboard every half a second for new content. Once the user copies a string that matches a known pattern for a cryptocurrency (or payment system) address, ComboJack replaces that address with one from an internal list.​

​

Users are advised to double-check that the cryptocurrency payment addresses they copy-pasted are identical in the source and destination locations.​