The experts from Kaspersky Lab are warning about Cryptoshuffler, a piece of malware that steals cryptocurrencies from wallets by replacing the wallet address with its own. Cybercriminals have used the technique to steal almost 140,000 dollars to date, the IT security firm reports. The main target is probably Bitcoin, the firm indicates, as it is the most common currency found in such wallets. Yet other popular digital currencies, including Ethereum, Zcash, Dash and Monero, also appear to have been targeted. That last cryptocurrency is also in the crosshairs on another Trojan isolated by cybersecurity experts, known as Discordia-Miner. Beyond this, there are also an increased number of spam mails in circulation related to cyptocurrency.
In the third quarter, the malware observers at Kaspersky Lab saw a particular spike in spam fraud related to cryptocurrencies:
It should come as no surprise that cybercriminals are currently focused on crypto-currencies and their owners. The rising number of business that accept Bitcoin have pushed it to a breakthrough in the public consciousness. Even users with little technical knowledge of Blockchain technology and asset investment are beginning to ask about the benefits of Bitcoin and its ilk.
"Cryptocurrencies are no longer science-fiction," says Sergey Yunajovsky, a malware analyst at Kaspersky Lab. "They're now part of our lives and are spreading around the world — becoming more accessible for normal users and more attractive for criminals. For some time now we've been observing a rise in malware attacks aimed at various breeds of cryptocurrency." The company expects this trend to continue and urges caution: "Users currently considering investing in cryptocurrencies should consider whether they are sufficiently protected."
So what does that really mean? The Cryptoshuffler Trojan changes the address of the wallet on the infected machine's clipboard, the place where items are temporarily stored during the cut-and-paste process. These clipboard-based hijacking attacks have been around for years. Classically they've brought users to malicious websites and targeted online payment systems. Once installed, Cryptoshuffler begins monitoring the clipboard used during a payment process. This clipboard temporarily holds the wallet number that is then to be pasted into the "Recipient" address on the transaction.
The Trojan steps in at this point, however, replacing the legitimate address with its own. When the user pastes the wallet ID into the recipient line, it contains the redirected address, not the intended one. The victim thus sends the money directly to the cybercriminals. The swap is made in the wallet immediately, based on a simple search of wallet addresses. The majority of wallets have a fixed position for the transaction row and tend to always use the same number of characters. This makes it easy for the malware to create manipulated codes to replace them.
Experts have also identified a Trojan called Discordia-Miner that targets the Monero cryptocurrency and which was designed to upload and execute files on a remote server. The precise description of the blocked malware is "Trojan-Banker.Win32.CryptoShuffler.gen" and "Trojan.Win32.DiscordiaMiner." Beyond updated security software, users should also use common sense. The spam methods described above represent no real threat to experienced users. Yet not all users are as aware of the risks. And hence cybercriminals will keep up their efforts, probably with fair success, in the future.