Unit 42 researchers have discovered a new malware that steals cryptocurrency by replacing clipboard addresses with an attacker-controlled address. The malware was spread by a "malspam" campaign with an email claiming a passport was lost, and a PDF attached had a copy of the scanned document. The payload, dubbed ComboJack, is fairly clever, by looking for strings of text matching known cryptocurrency wallet addresses in the clipboard and replacing them with one of the attackers.
While the attacker is most definitely a scumbag, you have to give some credit to such a sneaky and elegant solution.
With the proliferation of Cryptomining malware, it is curious to see some actors take a different route to acquiring web-based currency. Cryptoshuffler in 2017 may have been only the beginning of simple, yet effective clipboard stealers like ComboJack. By targeting multiple cryptocurrencies and web based wallets, the author of ComboJack appears to be hedging his or her bets on which currency will boom and which will bust.
While the attacker is most definitely a scumbag, you have to give some credit to such a sneaky and elegant solution.
With the proliferation of Cryptomining malware, it is curious to see some actors take a different route to acquiring web-based currency. Cryptoshuffler in 2017 may have been only the beginning of simple, yet effective clipboard stealers like ComboJack. By targeting multiple cryptocurrencies and web based wallets, the author of ComboJack appears to be hedging his or her bets on which currency will boom and which will bust.