Welcome!

By registering with us, you'll be able to discuss, share and private message with other members of our community.

SignUp Now!
adv ex on 5 january 2024
adv ex on 22 February 2024
adv ex on 22 February 2024
banner Expire 26 April 2024
Rescator cvv and dump shop
banner expire at 13 May

Yale lodge shop
UniCvv
banner Expire 1 April  2021

ALBERT

TRUSTED VENDOR
Staff member
Joined
Dec 3, 2020
Messages
1,214
Security researchers have discovered a new malware strain that is capable of detecting when users copy a cryptocurrency address to the Windows clipboard. The malware works by replacing this address with one owned by its author.

Named ComboJack, this malware is similar to Evrial and CryptoShuffler. The difference between ComboJack and the two is that ComboJack supports multiple cryptocurrencies, not just Bitcoin.

ComboJack targets multiple cryptocurrencies
According to Palo Alto Networks, ComboJack can detect whenever the user has copied a cryptocurrency address for Bitcoin, Litecoin, Ethereum, and Monero, but also for other digital payment systems such as Qiwi, Yandex Money, and WebMoney (USD and ruble payments).

ComboJack is under active distribution, Palo Alto said today. The company says it detected this malware as the final payload of a malspam campaign targeting Japanese and American users.

ComboJack uses a multi-step infection chain
The exploitation chain is quite complex, but follows the patterns seen last year with Dridex (banking trojan) and Locky (ransomware) campaigns.

Crooks send victims an email claiming to contain a scan of a lost passport. The file attachment with this email is in PDF format.

If the user downloads and opens this PDF, the file opens an RTF file that contains an embedded HTA object that tries to exploit the CVE-2017-8579 DirectX vulnerability.

On successful exploitation, the HTA file contained within the RTF file contained within the PDF runs a series of PowerShell commands that download and execute a self-extracting executable (SFX).

But the infection chain is not done. This SFX file downloads and runs a password-protected SFX that then installs ComboJack.

ComboJack than gains boot persistence and starts scanning the Windows clipboard every half-a-second for new content. Once the user copies a string that matches a known pattern for a cryptocurrency (or payment system) address, ComboJack replaces that address with one from an internal list.
Users are advised to double-check that the cryptocurrency payment addresses they copy-pasted are identical in the source and destination locations.
 
Top Bottom