2.3 Million Cryptocurrency Addresses Monitored by Clipboard Hijacking Malware

CryptoCurrency Clipboard Hijackers — malware which replaces cryptocurrency wallet addresses with attacker’s addresses via Windows’ copy and paste mechanism — are not particularly new. However, one new sample has been discovered which monitors more than 2.3 million cryptocurrency addresses.

Clipboard Hijacking on the Rise

Nobody ever called cryptocurrency ‘user-friendly.’ (Or, if they did, they were wrong.)

In the vast majority of cases, transacting cryptocurrencies requires inputting the receiver’s wallet address, which is comprised of a long and virtually impossible to memorize series of numbers and letters. To make their lives easier, most people copy and paste the address using their operating system.

If there’s a way to exploit something, hackers will figure it out — and the same applies here. Bitcoinist reported in April that malware identified by Palo Alto Networks targeted data held on user clipboards from the cut, copy and paste actions. That specific trojan was called ComboJack and replaced unsuspecting user’s wallet data with the wallet address of an attacker.

Most cases of CryptoCurrency Clipboard Hijackers were limited to less than a thousand cryptocurrency addresses. However, BleepingComputer has now discovered an example of this malware that monitors more than 2.3 million cryptocurrency addresses.

Explains the computer help website:

This infection was spotted as part of the All-Radio 4.27 Portable malware package that was distributed this week. When installed, a DLL named d3dx11_31.dll will be downloaded to the Windows Temp folder and an autorun called “DirectX 11” will be created to run the DLL when a user logs into the computer.

This DLL will be executed using rundll32.exe with the “rundll32 C:\Users\[user-name]\AppData\Local\Temp\d3dx11_31.dll,includes_func_runnded” command.

[…]

Read Full: 2.3 Million Cryptocurrency Addresses Monitored by Clipboard Hijacking Malware