A recent discovery by security researchers at Kaspersky has unveiled a new malware campaign that targets cryptocurrency wallets. The attacks were first detected in September 2022 and involve malware that replaces a portion of the clipboard contents with cryptocurrency wallet addresses.
In their advisory, Kaspersky highlights the danger posed by this seemingly simple attack, noting that it can lead to irreversible money transfers. What makes this malware particularly insidious is its passive nature, making it difficult for normal users to detect. Unlike worms or viruses that may exhibit visible signs of activity, clipboard injectors can remain silent for extended periods, only revealing themselves when they replace a crypto wallet address.
The malware campaign observed by Kaspersky was found to be utilizing Tor Browser installers as a means of distributing the malicious software. This tactic is believed to be linked to the ban of the Tor Project’s website in Russia at the end of 2021, prompting malware authors to create trojanized Tor Browser bundles targeted at Russian-speaking users.
The payload of the malicious campaign consisted of a communication-less clipboard-injector malware that integrates into the Windows clipboard viewers. This malware scans clipboard contents using predefined regular expressions and replaces any matching text with a randomly chosen address from a hardcoded list. While the primary targets were systems in Russia and Eastern Europe, infections were also observed in the US, Germany, China, and other countries.
To protect against this threat, Kaspersky advises users to download software only from reputable and trusted sources. Victims of this malware often made the mistake of downloading Tor Browser from third-party sites, whereas the official Tor Project installers are digitally signed and free of malware.
Furthermore, Kaspersky notes that malicious Tor Browser installers were also spread through a YouTube video explaining the Darknet last year, emphasizing the importance of exercising caution when downloading software from the internet.
In conclusion, this latest malware campaign targeting cryptocurrency wallets highlights the ongoing need for vigilance and cybersecurity measures to protect against evolving threats in the digital landscape. Stay informed, stay cautious, and stay safe online.