Clipboard Hijacking Malware

This week, a newly-discovered clipboard hijacking malware sample has been seen monitoring over 2.3 million cryptocurrency addresses.

BleepingComputer has published a comprehensive report over this new malware, which is called ”CryptoCurrency Clipboard Hijacker”.

The malware scans the Windows Clipboard for cryptocurrency addresses, switching legitimate ones for addresses owned by the attacker. The malware runs in the background and as processes look genuine there are no tell-tale signs of infection.

Clipboard hijacking, however, is not a new threat. Historically, earlier versions of web browsers would allow websites to silently read the data stored on the Windows Clipboard. Today, updated browsers prompt the user on screen to allow access to the clipboard.

In June, a cyber security company identified a clipboard hijacking malware campaign targeting Bitcoin and Ethereum users, infecting over 300,000 computers.

Due to the complex nature of cryptocurrency addresses, transferring funds requires users to copy a destination address from one application into memory and then paste it into the program they are using to send money. Attackers are likely to have noticed this behaviour and created the malware to take advantage of this.

There is no evidence to suggest that any other information is being taken as a result of this clipboard hijacking but, since the clipboard is often used as a place to hold passwords and other sensitive information, users should be vigilant. If you are sending cryptocurrency it is recommended that the destination address is double checked to make sure it has not been replaced with a different one.

As the price and popularity of cryptocurrencies continues to grow, we assess that illicit actors will increase efforts to obtain and profit from them, including through theft, speculation, fraud, illicit mining, and abuse of new cryptocurrency offerings.