A new virus steals electronic currencies by replacing data on the clipboard

Cybersecurity experts at Palo Alto Networks discovered a virus called ComboJack while monitoring an email phishing campaign that targeted customers in Japan and the United States.

The virus steals Bitcoin, Ethereum, Monero and Litecoin. But not only cryptocurrency is the goal of ComboJack. It is also intended for fraudulent transactions with digital payment systems, the list of which includes Yandex.Money and WebMoney.

The potential victim is asked to open the attached file, after which the embedded RTF file with the CVE-2017-8759 exploit is automatically launched. It is he who frees up the hands of scammers and provides the ability to enter code and run PowerShell commands, which are used to execute the ComboJack script.

The program withdraws money by replacing the destination address of the crypto transaction with the address of the criminal’s wallet. The victims of the virus are users who do not check the destination address of transactions before approving them.

“The tactic is based on the fact that wallet addresses are usually long and difficult to remember. Most users prefer to copy such a string to the clipboard to prevent possible errors,” Palo Alto Networks experts write in the report.

The virus “lives” due to a vulnerability that Microsoft fixed in early fall last year. In order to protect themselves, users are advised to reinstall the system software.

The fact that such schemes still work suggests that users are still too trusting, which is successfully exploited by scammers.

According to https://researchcenter.paloaltonetworks.com