Once it detects the clipboard activities that contain either Bitcoin or Ethereum wallet ID, then it tempers the receiving address and redirects the cryptocurrency to its own wallet.
BTC & ETH Clipboard Replacement by Malware
At the Initial stage, malware performing the monitoring the content of the clipboard.
Here ClipboardWalletHijacker recurrent loop contains the attackers own cryptocurrency wallet address.
It’s using the function called “GetClipboardData” to fetch the clipboard data to replace the victim’s wallet address.
Later If it detects the content is the address of Ethereum wallet, it replaces the address with its own.
Attack using own wallet address “0x004D3416DA40338fAf9E772388A93fAF5059bFd5” to replace the victims clipboard address.
Attackers successfully did 46 successful transactions in total using the wallet address.
If the Attack didn’t find any Ethereum wallet address then the Trojan checks if it is Bitcoin address, and the address number begins with 1 or 3.
According to 360totalsecurity, If the current date is earlier than 8th of the month, replace the address to “19gdjoWaE8i9XPbWoDbixev99MvvXUSNZL”. Otherwise, use “1FoSfmjZJFqFSsD2cGXuccM9QMMa28Wrn1” instead.
This ClipboardWalletHijacker Malware already hijacked five Bitcoin transaction and the amount of the latest transaction is 0.069 BTC (approximately equivalent to 500 US dollars).
Since the beginning of this year various cruyptojacking attacks are kept raising nowadays, users recommend enabling antivirus software while installing new applications.