ComboJack cryptocurrency stealing malware

Palo Alto Networks Unit 42 security researchers have discovered a new malware dubbed “ComboJack” that targets multiple cryptocurrencies and web based online wallets.

The malware attempts to replace the address of the cryptocurrency transaction with a different cryptocurrency wallet address that is controlled by the attacker.

The Unit 42 researchers said the ComboJack malware campaign uses similar techniques used by Dridex and Locky exposed last year. For instance, a malicious PDF sent via a phishing email contains an embedded RTF file, that contains an embedded remote object used to attack a DirectX ‘elevation of privilege’ vulnerability (CVE-2017-8579).

Palo Alto Networks described some of the actions ComboJack takes when the malicious payloads are successfully executed on the victim’s system: 

“Every half second it checks the contents of the clipboard. The contents of the clipboard are checked for various criteria to determine if the victim has copied wallet information for various digital currencies. In the event a wallet of interest is discovered, ComboJack will replace it with a hardcoded wallet that the attacker presumably owns in an attempt to have the victim accidentally send money to the wrong location. This tactic relies on the fact that wallet addresses are typically long and complex and to prevent errors, most users will opt to copy an exact string in order to prevent potential errors.” 

The malware authors appear to be hedging their bets to target not just Bitcoin (like other malware predecessors have), but also Litecoin, Monero, and Ethereum. This threat will likley continue to rise as cryptocurrencies continue to rise and allows cyber criminals to fast profits.