Author

Topic: Clipboard Hijacker Malware Monitors 2.3 Million Bitcoin Addresses (Read 399 times)

hero member
Activity: 949
Merit: 517
I was thinking before that this kind of malware will come out soon because we all do copy and paste of our bitcoin wallet and keys in order to access our account and someone just created it, this is so alarming and thanks for helpful information, we now be more careful on what we install on our pc units.
jr. member
Activity: 76
Merit: 1
thanks for sharing this important info to crypto users here. we will be more alert in dealing with our crypto transactions and be vigilant on how we do things in the internet.
full member
Activity: 448
Merit: 102
Thanks for the heads up mate. I do usually double and triple check my address before sending, but there has been times I have been lazy or in a rush and just copy & pasted and sent. I'll be triple checking every time from now on.
staff
Activity: 3304
Merit: 4115
I think most anti-virus software is not working properly, the anti virus only cleans the built-in app from a computer or phone but can not clean up viruses contained in new applications that have been downloaded on your computer or phone.
As with any virus that attacks the Messenger facebook app, even if you have anti virus on your computer or mobile phone, facebook still has to go in to clean it yourself.
They are working properly, but people expect things from them which aren't possible. For example, like I mentioned above they only collect information from their known database, and check whether that application has been submitted as malware within their database. If it hasn't then they don't flag it, but if it does exist in their database they flag it.

Anti virus software doesn't have special permissions where it can take a look at a applications source code, and determine whether it's safe or not. It's a glorified spreadsheet with known extensions/applications that are malware. If you use common sense you can get away with using a anti virus.
newbie
Activity: 71
Merit: 0
This is really terrific. Thanks for your warning about it. Many will be aware after seeing this post and I will request all to be very careful while dealing with the bitcoin address. Double and triple check it. Else you may fall a victim to this malware.
newbie
Activity: 140
Merit: 0
I think most anti-virus software is not working properly, the anti virus only cleans the built-in app from a computer or phone but can not clean up viruses contained in new applications that have been downloaded on your computer or phone.
As with any virus that attacks the Messenger facebook app, even if you have anti virus on your computer or mobile phone, facebook still has to go in to clean it yourself.
staff
Activity: 3304
Merit: 4115
Thanks for the heads up mate. I knew nothing about this kind of malware until now. And this is rather alarming. Hackers are making cleverer and cleverer ways of getting all your cryptocoins as much as possible so it depends to us to not to be complacent and always double check everything and make sure our antivirus is always updated.
This malware has always existed. Plus, anti virus is generally useless, and only picks up things that they already have in their database. Any new malware will not be picked up. Just don't download dodgy shit, and you will be fine. If you have to download a client that you don't trust then download it within a virtual machine.
i don't understand 1 thing though. why is it saying "monitors addresses"? does it have a database that matches the address you copy because that would be silly! the way these malware work is that they monitor your clipboard and when something enters it they just check to see whether it is a bitcoin address or not and it is very simple since the text has to be a valid base58 (and now Bech32) encoded string.

having a database for that is like having a database of 2.3 million numbers to check whether an input like 235513314955 is a number or not!
Could be referring to checking addresses to see if they have any value in them or not. It's very unlikely that they have a database they can check.
legendary
Activity: 3178
Merit: 3295
legendary
Activity: 3472
Merit: 10611
i don't understand 1 thing though. why is it saying "monitors addresses"? does it have a database that matches the address you copy because that would be silly! the way these malware work is that they monitor your clipboard and when something enters it they just check to see whether it is a bitcoin address or not and it is very simple since the text has to be a valid base58 (and now Bech32) encoded string.

having a database for that is like having a database of 2.3 million numbers to check whether an input like 235513314955 is a number or not!
full member
Activity: 386
Merit: 104
IDENA.IO - Proof-Of-Person Blockchain
Thanks for the heads up mate. I knew nothing about this kind of malware until now. And this is rather alarming. Hackers are making cleverer and cleverer ways of getting all your cryptocoins as much as possible so it depends to us to not to be complacent and always double check everything and make sure our antivirus is always updated.
hero member
Activity: 854
Merit: 658
rgbkey.github.io/pgp.txt
Do you know if this malware can attack other operating systems like Mac OS and Linux? 

Dont know at the moment but im looking for to get maybe more Information about all this !

Most malware creators usually target Windows as it's more vulnerable, more hosts run it, and people that run it aren't as security conscious. It's usually not worth their time to target other OSes.
member
Activity: 728
Merit: 14
thanks for this warning. until just now i did not know that there is such a thing. can i infect my system with it when i visit a website or do i have to download something for that?
legendary
Activity: 3178
Merit: 3295
Do you know if this malware can attack other operating systems like Mac OS and Linux? 

Dont know at the moment but im looking for to get maybe more Information about all this !
member
Activity: 392
Merit: 11
Wow thank you for this information, I have heard many experts in cryptocurrencies advising and educating newcomers to always double check their sending bitcoin and other cryptocoin addresses before actually sending the funds.  But it seems like many do not double check after pasting the BTC address. Do you know if this malware can attack other operating systems like Mac OS and Linux? Again thank you for sharing this valuable information.
legendary
Activity: 3178
Merit: 3295
Found something interesting !

While cryptocurrency has seen tremendous growth over the past year, sending cryptocoins still requires users to send the coins to long and hard to remember addresses.
Due to this, when sending cryptocoins, many users will simply copy the address into memory from one application and paste it into another application that they are using to send the coins.

Attackers recognize that users are copying and pasting the addresses and have created malware to take advantage of this.
This type of malware, called CryptoCurrency Clipboard Hijackers, works by monitoring the Windows clipboard for cryptocurrency addresses,
and if one is detected, will swap it out with an address that they control.
Unless a user double-checks the address after they paste it, the sent coins will go to an address under the attackers control instead the intended recipient.

While we have covered cryptocurrency clipboard hijackers in the past and they are not new, most of the previous samples monitored for 400-600 thousand cryptocurrency addresses.
This week BleepingComputer noticed a sample of this type of malware that monitors for a over 2.3 million cryptocurrency addresses!

2.3 million cryptocurrency addresses being monitor by malware


How the infection loads

This infection was spotted as part of the All-Radio 4.27 Portable malware package that was distributed this week.
When installed, a DLL named d3dx11_31.dll will be downloaded to the Windows Temp folder and an autorun called "DirectX 11" will be created to run the DLL when a user logs into the computer.
This DLL will be executed using rundll32.exe with the "rundll32 C:\Users\[user-name]\AppData\Local\Temp\d3dx11_31.dll,includes_func_runnded" command.



Rundll32.exe launching the infection


Protecting yourself from clipboard hijackers


As malware like this runs in the background with no indication that it is even running, is it not easy to spot that you are infected.
Therefore it is important to always have a updated antivirus solution installed to protect you from these types of threats.
It is also very important that all cryptocurrency users to double-check any addresses that they are sending cryptocoins to before they actually send them.
This way you can spot whether an address has been replaced with a different one than is intended.

Jump to: