A clipboard hijacking campaign has been spotted primarily targeting cryptocurrency owners in Russia and Eastern Europe. Discovered by Kaspersky, the primary delivery method of this malware is a trojanized version of the TOR Browser, a modified web browser that is used to access the dark web. The trojanized version portrays itself as a modified, more secure version of the software. To avoid detection, the malware also includes a typically outdated version of the TOR browser and encrypts its malicious payload to avoid signature-based detections. The final payload is a passive, and communicationless malware that reads any information stored in the clipboard and applies several Regular Expressions to identify cryptocurrency wallet IDs. When matched, the malware replaces the wallet ID with one controlled by an attacker. An estimate from Kaspersky places the value of stolen Bitcoin around $380, 000 with other currencies being targeted as well.
This financially motivated campaign appears similar to a campaign that targeted Polish banks in 2013, but this iteration did not begin until after Russia banned the TOR browser in late 2021. The previous campaign required the attacker to identify a banking environment and then replace specific routing information that did not make the transaction invalid. This new method of targeting users rather than banks has broadened their attack surface, decreased the risk the threat actor is taking, and ensured that successful replacement attacks will result in monetary gains. Financially motivated attacks are nothing new, but this type of campaign can only be countered via a strong awareness of the security landscape and validation on the part of users.
Copy-paste heist or clipboard-injector attacks on cryptousers