Clipboard-Injector Attacks Aim to Swipe Your Crypto Wallets
Clipboard-injector attacks are a type of cyber-attack that targets cryptocurrency users by manipulating their computer’s clipboard function. The clipboard function is a standard feature in most operating systems that allows users to copy and paste text, images, and other types of data between applications. Clipboard-injector attacks occur when malware is installed on a victim’s computer, which monitors the clipboard function and replaces any cryptocurrency addresses that are copied with a different address controlled by the attacker.
The attack is typically initiated when a user wants to transfer cryptocurrency from their wallet to another address. The user copies the destination address from the wallet and pastes it into the transfer field of the cryptocurrency exchange or other application they are using to make the transaction. However, the malware installed on the user’s computer intercepts the clipboard data and replaces the legitimate destination address with an address controlled by the attacker. As a result, the user unknowingly sends their cryptocurrency to the attacker’s address instead of the intended recipient.
Clipboard-injector attacks have become increasingly common in recent years, as cryptocurrency has gained popularity and value. Attackers can potentially steal large amounts of cryptocurrency using this method, making it a lucrative form of cybercrime.
Kaspersky, a leading cybersecurity firm, recently uncovered a new malware campaign that specifically targets cryptocurrency wallets. The malware, discovered in September 2022, replaces part of the clipboard contents with fraudulent cryptocurrency wallet addresses, leading to irreversible transfers of funds. What’s worse is that the attack is silent, making it difficult for ordinary users to detect it, and it can remain undetected for years.
The attack relies on a passive and communication-less clipboard-injector malware, which is integrated into the chain of Windows clipboard viewers. The malware is activated when the clipboard data changes, and it scans the contents of the clipboard with a set of embedded regular expressions. If a match is found, it replaces the legitimate wallet address with a fraudulent one from a hardcoded list. The campaign primarily targeted systems in Russia and Eastern Europe but also affected the US, Germany, and China.
The malware authors distributed the trojanized Tor Browser installers among Russian-speaking users, taking advantage of the ban of the Tor Project’s website in Russia in 2021. Users unwittingly downloaded and installed the malware, allowing the attackers to steal their cryptocurrency funds. Kaspersky advised system defenders to only download software from reliable and trusted sources, as the official Tor Project installers were digitally signed and did not contain any malware.
The use of clipboard-injector malware is on the rise because it is difficult to detect and can remain undetected for years, leading to significant losses for users. Cybercriminals are increasingly targeting cryptocurrency wallets and exchanges to steal private keys or seed phrases to access funds. This new malware campaign is just one example of the innovative techniques that attackers are using to steal digital assets.
To protect against clipboard-injector attacks, users should be cautious when installing software and avoid downloading programs or files from untrusted sources. It is also recommended to use a cryptocurrency wallet that supports multi-signature authentication, which requires multiple parties to authorize transactions, making it more difficult for attackers to steal funds. Additionally, users can manually verify the destination address before submitting a transaction to ensure that it matches the intended recipient’s address. it is crucial to remain vigilant and only download software from trusted sources. System defenders should also regularly update their security software and educate users on best practices for securing their digital assets. As the value of cryptocurrencies continues to rise, cybercriminals will continue to target them, making it more important than ever to stay ahead of the curve in terms of cybersecurity.
Clipboard-injector attacks are a serious threat to cryptocurrency users, and users should take steps to protect themselves against these types of attacks. Being aware of the risks and implementing best practices for online security can help prevent financial losses and protect sensitive data.
Author: Manjushree Gavitre