Over Two Million Cryptocurrency Addresses Tracked by Clipboard Hijacking Malware

A new piece of malware that tracks the Windows clipboard for cryptocurrency addresses apparently has some 2.3 million victims according to digital security experts. Unlike the recent OSX.Dummy attack, it doesn’t attack those who are using Apple’s OS X or macOS clipboard technology. Those who rely on this kind of technology seem safe.

Since it relies on manipulation of a specific DLL, it’s doubtful that this would cause issues for GNU/Linux installations either. No one has yet commented on whether the use of Wine would at all influence the security profile for Unix users.

Transferring cryptocurrency figures between two accounts requires use of extremely long wallet addresses. As a result, an overwhelming majority of users merely copy and paste these numbers between two programs. In fact, some might do so because they’re afraid of keystroke loggers and figured that using the clipboard was safer.

Crackers can monitor the Windows clipboard and swap one out for one they control if a machine is infected by this new cyberattack. New reports say that the infection probably came as part of the All-Radio 4.27 Portable application bundle.

Users who install the package get a file called d3dx11_31.dll downloaded to their Windows/Temp directory. An autorun item called DirectX 11 activates the DLL when a user logs into their account.

As a result, it looks like these processes are legitimate to even a trained eye. This has made it fairly difficult for Windows security experts to catch it until now.

Once crackers have replaced an address, they can transfer money to it without worrying about detection because even if the infection is requested they have cryptocurrency tokens the moment the transaction is completed. There’s no real way to get those back, which makes it lucrative to infect a machine for even a brief period of time.

Fortunately, it looks like anti-malware security programs are beginning to flag the infection. All users who downloaded All-Radio or any other portable application bundle is being asked to verify that their system is clean after removing the offending software.

It doesn’t appear that any other information is being taken as a result of clipboard control. However, since the clipboard is often used as a place to temporarily store passwords and such extra care should be taken. Some users have begun changing up account login credentials as a result just to err on the side of security.

Few Unix users have probably installed this package through Wine, thus mitigating the attack somewhat.

Kamil Anwar
Kamil is a certified MCITP, CCNA (W), CCNA (S) and a former British Computer Society Member with over 9 years of experience Configuring, Deploying and Managing Switches, Firewalls and Domain Controllers also an old-school still active on FreeNode.