Kaspersky security researchers recently discovered a malware campaign targeting cryptocurrency wallets.
In the advisory’s findings released today, the company notes that the attack was first observed in September 2022 and relies on malware that replaces part of the clipboard contents with a cryptocurrency wallet address. said.
“Despite their basic simplicity, attacks are more dangerous than attacks. [it] It would seem Not only does it create irreversible transfers, but it is also very passive and difficult for normal users to detect. “
Given that worms and viruses do not necessarily connect to an attacker’s control server, Kaspersky often generates visible network activity or increases CPU and RAM usage. I added that this is especially true.
“The same is true for ransomware encryption. On the contrary, clipboard injectors can sit silent for years, showing no network activity or other signs of existence until the dire day when they replace crypto wallet addresses,” the company said. explained.
Read more about clipboard malware here: Researchers Release MortalKombat Ransomware Decryptor
Kaspersky added that it has observed malware campaigns relying on this technique abusing the Tor Browser installer.
“This is related to the banning of the Tor Project website in Russia at the end of 2021. This was reported by the Tor Project itself. […] The malware authors heeded the call and responded by creating a trojanized Tor Browser bundle and distributing it to Russian-speaking users. “
Regarding the payload observed during the malicious campaign, Kaspersky described it as passive, communicationless clipboard injector malware.
“This malware integrates with a suite of Windows clipboard viewers to receive notifications whenever clipboard data changes,” reads the advisory. “If the clipboard contains text, scan the content using a series of embedded regular expressions. If a matching address is found, one randomly selected from a hard-coded list is scanned. will be replaced with your address.
Clipboard Injector primarily targeted systems in Russia and Eastern Europe, but also targeted systems in the United States, Germany, China, and elsewhere.
To mitigate the impact of this threat, Kaspersky advised system defenders to download software only from trusted and trusted sources.
“A mistake that all victims of this malware may have made was downloading and running Tor Browser from a third-party resource,” the company explains. “The installer from the official Tor project was digitally signed and contained no such indications of malware.”
A malicious Tor Browser installer was spread last year via Darknet explainer videos on YouTube.
