A malware campaign spreading a clipboard hijacker has infected more than 300,000 computers, according to Chinese security firm Qihoo 360 Total Security.
The campaign has been booming for the past week and has spread malware that Qihoo researchers have called Clipboard Wallet Hijacker.
Malware replaces the BTC and ETH addresses on the clipboard
The purpose of malware is to intercept the content recorded on the Windows clipboard, search for strings that resemble the Bitcoin and Ethereum addresses, and replace them with the malware authors’ wallets.
Clipboard Wallet Hijacker’s final plan is to hijack the BTC and ETH transactions, so victims unintentionally send funds to the malware authors.
Malware will use the following addresses when replacing strings on users’ clipboards:
Ethereum – kidnapping – clipboard
Checking the balances of these addresses using the Blockchain.info and Etherscan.io websites, we can see that the thieves only received 0.12434321 BTC from eight transactions and nothing from Ethereum. This amount is approximately $800.
Since Qihoo 360 is a supplier with the vast majority of its presence in the Chinese market, it is believed that most of the 300,000 infected computers are located in China and neighboring countries.
Other threats related to cryptomoney
But this is not the only malware campaign focused on cryptomoney discovered in recent weeks by Qihoo researchers.
BTC: 1FoSfmjZJFqFSsD2cGXuccM9QMMa28Wrn1
BTC: 19gdjoWaE8i9XPbWoDbixev99MvvXUSNZL
ETH: 0x004D3416DA40338fAf9E772388A93fAF5059bFd5They also came across TaksHostMiner, a strain of malware that infected more than 10,000 computers in one day and extracts cryptomoney from infected hosts. The trick with this malware is that it stops working when the user opens the Windows Task Manager.
Researchers also discovered WagonlitSwfMiner, a coin-extraction malware strain distributed through direct downloads that exploit an Adobe Flash vulnerability (CVE-2018-4878) to automatically infect victims.
Qihoo also discovered the Bondat IoT/Linux worm that spreads between web servers and IoT devices, infects devices with a hidden miner of crypto coins and also the use of infected devices on WordPress based websites using brute force.