Cryptocurrency-stealing malware relies on victims copy-pasting wallet info

SmartNA PortPlus - High Performance Visibility Solutions that scale with your network.

An unconventional email spam campaign has been delivering unusual cryptocurrency-stealing malware to American and Japanese users.

The emails are sporting “Re: passport..” in the subject line and are trying to trick targets into opening an attached file, which supposedly contains a scanned copy of a passport the recipient has possibly left in the senders’ office.

Opening the file will not show the scanned image, but potential victims will be asked to open another file embedded in the first one:

cryptocurrency-stealing malware

If they chose to open the file, it will attempt to exploit an old DirectX vulnerability (Microsoft DirectX is a collection of APIs for handling tasks related to multimedia on Microsoft platforms).

If it succeeds, it will load an HTA script, which will run a PowerShell script to download the ComboJack malware.

The cryptocurrency-stealing malware

ComboJack has been named so by the researchers because it aims to steal funds in a variety of cryptocurrencies.

After it’s downloaded, the malware first ensures its persistence and hides itself from the user. Then it enters into an infinite loop that sees it checking the contents of the clipboard every half second.

“The contents of the clipboard are checked for various criteria to determine if the victim has copied wallet information for various digital currencies. In the event a wallet of interest is discovered, ComboJack will replace it with a hardcoded wallet that the attacker presumably owns in an attempt to have the victim accidentally send money to the wrong location,” Palo Alto Networks researchers explained.

“This tactic relies on the fact that wallet addresses are typically long and complex and to prevent errors, most users will opt to copy an exact string in order to prevent potential errors.”

The malware is after Ethereum, Monero, Bitcoin, and Litecoin, but also after funds transferred via Qiwi, WebMoney, and Yandex Money.

“By targeting multiple cryptocurrencies and web-based wallets, the author of ComboJack appears to be hedging his or her bets on which currency will boom and which will bust,” the researchers concluded.