For decades the clipboard has been an everyday occurrence of the computing experience, whether being used on Windows, Mac, or Linux. But now attackers have found their way to your clipboard so that they can insert malware that will steal your cryptocurrency.
This will make you think twice the next time you copy and paste sensitive information, especially cryptocurrency. The new use for malware will replace the address of your cryptocurrency transaction with the address of the attacker’s wallet.
The Crime
The ComboJack malware works on multiple currencies by relying on you not checking the wallet you’re sending your transaction to. There are many existing spam emails that were used to distribute the malware, and the shear number of emails shows that the attackers are being successful with their endeavor.
But don’t think you’re safe just because you don’t use Bitcoin, as non-cryptocurrency digital payment systems, such as WebMoney and Yandex Money, are being targeted as well.
Researchers at Palo Alto Networks happened onto this malware campaign while watching an email phishing campaign that was targeting users in both America and Japan.
The emails don’t use the victims’ names yet claim a passport has been misplaced, instructing the reader of the email to open a document that contains a scanned version of it to “check if you know the owner.”
Once the email recipient opens the file, they’re told to allow an embedded file to run so that they can view the document. If they follow along and allow the file to run, it will enable an embedded RTF file to inject code and run PowerShell commands that will be used to download ComboJack and execute it.
ComboJack will then get to work using the built-in Windows tool, attrib.exe, and that will allow it to hide itself from the email recipient and also execute processes that have high-level privileges.
It will then start a loop where it will check the clipboard content every half second to see if the user has copied information about cryptocurrencies. If it finds that, it will replace the present address with an address connected to the attacker, hoping the victim won’t notice.
Beyond this Exploitation
Beyond an organization trying to steal cryptocurrency, it certainly means that anything could potentially be stolen from your clipboard. And many of us use the clipboard function for many things.
The question is if you use the clipboard function for anything that would be potentially harmful if it was stolen, such as passwords. Sometimes passwords are emailed to you to set up an account, and they can be so long and filled with numbers and letters that the easiest solution is to copy and paste them.
Of course, it would require someone to be sitting on the other end constantly checking your clipboard for password information and to know where it will go, so it’s quite a stretch. But now we know that this could potentially happen.
The important thing to know is that the clipboard is a vulnerability, so it’s best to keep that in mind when you’re copying and pasting.
Possible Solutions
This particular vulnerability was patched by Microsoft last September, so the first line of defense is to keep your operating system up to date. Additionally, you need to be careful of emails from unknown organizations that ask you to download attachments. Hopefully, these are things you’re already doing anyway.
Is this type of vulnerability something you’re worried about? Would you have ever imagined that your clipboard could be exploited? Let us know your thoughts on this in the comments.
