360 discovered a new type of actively spreading CryptoMiner, ClipboardWalletHijacker.

Share this news:

New CryptoMiner hijacks your Bitcoin transaction. Over 300,000 computers have been attacked.

Recently, 360 discovered a new type of actively spreading CryptoMiner, ClipboardWalletHijacker. The Trojan monitors clipboard activity to detect if it contains the account address of Bitcoin and Ethereum. It tampers with the receiving address to its own address to redirect the cryptocurrency to its own wallet. This kind of Trojans has been detected on more than 300 thousand computers within a week.

Analysis

The main function of ClipboardWalletHijacker is a recurrent loop monitoring the content of clipboard.

https://blog.360totalsecurity.com/wp-content/uploads/2018/06/ClipboardAddressMonitor1.png

The function of the clipboard fetcher:

https://blog.360totalsecurity.com/wp-content/uploads/2018/06/ClipboardAddressMonitor2.png

If it detects the content is the address of Ethereum wallet, it replace the address with its own:

https://blog.360totalsecurity.com/wp-content/uploads/2018/06/ClipboardAddressMonitor3.png

The replacement address is "0x004D3416DA40338fAf9E772388A93fAF5059bFd5". There have been 46 successful transactions in total.

https://blog.360totalsecurity.com/wp-content/uploads/2018/06/ClipboardAddressMonitor4-1024x277.png

The most recent transactions are:

https://blog.360totalsecurity.com/wp-content/uploads/2018/06/ClipboardAddressMonitor5.png

If the address is not Ethereum, the Trojan checks if it is Bitcoin address, and the address number begins with 1 or 3.

If the current date is earlier than 8th of the month, replace the address to "19gdjoWaE8i9XPbWoDbixev99MvvXUSNZL". Otherwise, use "1FoSfmjZJFqFSsD2cGXuccM9QMMa28Wrn1" instead.

https://blog.360totalsecurity.com/wp-content/uploads/2018/06/ClipboardAddressMonitor6.png

The Trojan has successfully hijacked five Bitcoin transactions already.

https://blog.360totalsecurity.com/wp-content/uploads/2018/06/ClipboardAddressMonitor7.png

The amount of the latest transaction is 0.069 BTC (approximately equivalent to 500 US dollars).

https://blog.360totalsecurity.com/wp-content/uploads/2018/06/ClipboardAddressMonitor8-1024x197.png

The income from another address:
https://blog.360totalsecurity.com/wp-content/uploads/2018/06/ClipboardAddressMonitor9.png

Reminder

Recently, they have found that a lot of CryptoMiner Trojans are using this technique to steal victims' cryptocurrencies. We strongly recommend users to enable antivirus software while installing new applications. Users are also recommended to run virus scan with 360 Total Security to avoid falling victim to CryptoMiner.

Qihoo 360 Technology Co. Limited

Website: https://www.360totalsecurity.com

Email: support@360safe.com

Contact Info:
Name: Media Relations
Email: Send Email
Organization: Qihoo 360 Technology Co. Limited
Website: https://www.360totalsecurity.com

Source URL: http://www.globalnewsonline.info/new-cryptominer-hijacks-your-bitcoin-transaction-over-300000-computers-have-been-attacked/

Release ID: 357267

CONTACT ISSUER
Name: Media Relations
Email: Send Email
Organization: Qihoo 360 Technology Co. Limited
SUBSCRIBE FOR MORE