A malware campaign targeting cryptocurrency wallets has been recently discovered by security researchers at Kaspersky.
Discussing the findings in an advisory published today, the company said the attacks were first observed in September 2022 and relied on malware replacing part of the clipboard contents with cryptocurrency wallet addresses.
“Despite the attack being fundamentally simple, it harbors more danger than [it] would seem. And not only because it creates irreversible money transfers, but because it is so passive and hard to detect for a normal user,” reads the advisory.
Kaspersky added that this is particularly true when considering that while worms and viruses may not necessarily connect to the attacker’s control servers, they often generate visible network activity or increase CPU or RAM usage.
“So does encrypting ransomware. Clipboard injectors, on the contrary, can be silent for years, show no network activity or any other signs of presence until the disastrous day when they replace a crypto wallet address,” the company explained.
Read more on clipboard malware here: Researchers Release MortalKombat Ransomware Decryptor
Kaspersky added that the malware campaign relying on this technique was observed abusing Tor Browser installers.
“We relate this to the ban of Tor Project’s website in Russia at the end of 2021, which was reported by the Tor Project itself […] Malware authors heard the call and responded by creating trojanized Tor Browser bundles and distributing them among Russian-speaking users.”
As for the payload observed during the malicious campaign, Kaspersky explained it was a passive and communication-less clipboard-injector malware.
“The malware integrates into the chain of Windows clipboard viewers and receives a notification every time the clipboard data is changed,” reads the advisory. “If the clipboard contains text, it scans the contents with a set of embedded regular expressions. Should it find a match, it is replaced with one randomly chosen address from a hardcoded list.”
The clipboard-injector mainly targeted systems in Russia and Eastern Europe, but also in the US, Germany and China, among others.
To mitigate the impact of this threat, Kaspersky advised system defenders to download software from only reliable and trusted sources.
“A mistake likely made by all victims of this malware was to download and run Tor Browser from a third-party resource,” the company explained. “The installers coming from the official Tor Project were digitally signed and didn’t contain any signs of such malware.”
Malicious Tor Browser installers were also spread last year via an explanatory video about the Darknet on YouTube.