Since September 2022, hackers have been using Trojan-infected installers for the TOR anonymity browser to target individuals in Russia and Eastern Europe. The malware involved is a clipper that can steal cryptocurrencies.
According to Vitaly Kamluk, the director of Kaspersky's global research and analysis team (GReAT) for APAC, clipboard injectors can remain inactive and undetectable for extended periods, without any network activity or observable indicators of their presence. They only become noticeable when they replace a cryptocurrency wallet address with their own on a fateful day.
An important characteristic of clipper malware is that it only becomes harmful if certain requirements in the data stored in the clipboard are met, making it more difficult to detect.
The method of distribution for the installers is unclear at first, but there are indications that torrent downloads or an unidentified third-party source may be used. This is because the Tor Project's website has faced blockades in Russia in recent times.
No matter which technique is employed, the person who installs the software will begin running the authentic program as well as initiating the clipper payload that is specifically intended to keep track of what is being transferred to and from the clipboard.
According to Kamluk, if there is any text on the clipboard, it will be checked against a series of embedded regular expressions. If a match is found, it will be substituted with a random address chosen from a specific predetermined list.
The sample contains a multitude of potential addresses for replacement, chosen randomly. Additionally, it includes a feature to turn off the malicious software using a specific key combination (Ctrl Alt F10), which was likely incorporated during the trial period.
The Russian company specializing in digital security reported that it identified around 16000 incidents, most of which were located in Russia and Ukraine, with the United States, Germany, Uzbekistan, Belarus, China, the Netherlands, the United Kingdom and France following. Overall, this threat was observed in 52 countries across the globe.
It is believed that the scheme brought in approximately $40,000 in illegal earnings for those involved by stealing Bitcoin, Litecoin, Ether, and Dogecoin. The exact amount of Monero taken is uncertain due to the confidentiality measures in place with the service.
It is thought that the attack might be more extensive because the attackers may be using different software installation programs and previously unknown methods to reach unsuspecting users.
It is advised to obtain software exclusively from respected and dependable sources in order to protect oneself against such hazards.