CryptoClippy: New Clipper Malware Targeting Portuguese Cryptocurrency Users

 A fresh kind of malicious software operating under the name CryptoClippy is attacking Portuguese consumers by stealing their cryptocurrency in a malvertising attack.

According to a recent report by Palo Alto Networks Unit 42, a group is utilizing SEO tactics to trick people who are looking for WhatsApp web into going to fake websites that contain dangerous malware.

CryptoClippy, which is an executable written in the C programming language, belongs to a category of malicious software known as clipper malware. Its function is to keep a close eye on a victim's clipboard and identify any cryptocurrency addresses that match certain criteria. Once identified, CryptoClippy replaces these addresses with ones that are controlled by the perpetrator behind the malware.

According to researchers from Unit 42, the clipper malware employs regexes for the purpose of determining which form of cryptocurrency is associated with a particular address.

In this scenario, the malicious actor alters the copied wallet address with a visually similar one that belongs to them. As a result, when the victim tries to conduct a transaction by pasting the copied address, they unintentionally end up sending their cryptocurrency directly to the attacker.

The illegal plan has earned the people behind it approximately $983 up until now, and those who have suffered from it are spread out among various industries such as manufacturing, IT services, and real estate.

It is important to mention that the technique of using contaminated search results to spread malware has been taken up by bad actors linked with the GootLoader malware.

To identify appropriate targets, a traffic direction system (TDS) is utilized which verifies whether the desired browser language is Portuguese, and if affirmative, directs the user to a deceitful landing page.

People who don't satisfy the necessary requirements are directed to the real WhatsApp Web site without engaging in any additional harmful actions, thus evading detection.

Days after SecurityScorecard revealed the presence of an information thief named Lumma that can collect data from web browsers, cryptocurrency wallets, and various applications such as AnyDesk, FileZilla, KeePass, Steam, and Telegram; new discoveries have been reported.

Post a Comment

Previous Post Next Post