This sneaky hijack malware replaces your crypto addresses with lookalikes

A brand new clipper malware has been found taking the theft of cryptocurrency to a whole new level, researchers have claimed.

Clippers are a well-known security threat, as they are malware variants that monitor the clipboard of a Windows-powered endpoint, and when they see that a user copied a cryptocurrency wallet address to the clipboard, they’ll replace it with an address belonging to the attacker. That way, when the victim sends their funds, they’re actually sending them to a wallet belonging to the attackers.

But the attack is quite easy to spot, especially for more security-aware users (which crypto users generally are) – all it takes is to cross-reference a couple of characters between the copied address and the pasted one, to see if they match. Usually, users would check the last few characters. 

Generating countless addresses?

That’s exactly the safety measure the new Laplas Clipper is looking to eliminate, and it does so by generating addresses that are seemingly identical to the authentic ones. 

Exactly how Laplas does this is not yet clear, researchers from Cyble said, as the process takes place on the attacker’s server, and crypto addresses are sometimes a string of more than 40 characters. 

One of the potential answers is that the malware operators generated countless addresses in advance, and the tool just uses the one most closely resembling the authentic one, at the moment.

When BleepingComputer put the clipper to the test, it came out with mixed results. While bitcoin addresses matched the first, and the last few characters, Ethereum addresses were not even close. In general, the clipper hunts for addresses for these cryptocurrencies: Bitcoin, Ethereum, Bitcoin Cash, Litecoin, Dogecoin, Monero, Ripple, ZCash, Dash, Ronin, Tron, and Steam Trade URL.

The tool comes in a subscription model, with pricing being $29 for one Sunday, $59 for a month, $159 for three months, $299 for half a year, and $549 for a full year.

Via: BleepingComputer

Go to Source