Every new malware has its own trait. This time, security experts have found a threat that is capable of modifying the information of the OS’ clipboard. It is called ComboJack, and it affects Windows systems. It only works when the information on the clipboard is related to cryptocurrencies and similar services.

Complicated? No. The threat monitors the OS’ clipboard at all times, especially looking for addresses. Once an address is detected, the threat has the necessary means to modify the information. This means that users will use an address that is not the one that was copied, but they will believe it remains the same. In most cases, users do not notice the change.

The experts at Palo Alto Networks state that the threat is capable of detecting whenever the information copied is related to cryptocurrencies like Bitcoin, Litecoin, Ethereum and Monero. They also state that the threat is capable of detecting addresses belonging to payment systems like Qiwi, Yandex Money and WebMoney.

The company has also wanted to talk about the way ComboJack is being distributed by cybercriminals. The threat is distributed through e-mail (again), specifically through spam messages displaying different topics.

More details about ComboJack

The installation process of the threat is complicated. The most widely used e-mail message displays a scan of a lost passport. The information is found on a PDF file, which is usually downloaded by users. At this point, the user is really opening an RTF that contains an HTA object that will try to exploit the CVE-2017-8579 DirectX vulnerability.

If the exploitation is successfully done, the user will see some PowerShell commands being run that download and execute a self-extracting executable (SFX).

The installation of the threat is not yet done. To be more precise, another SFX must be downloaded, which will install ComboJack on the computer.

The Trojan will get boot persistence and start scanning the Windows clipboard periodically for the address that we already talked about.

Once it detects that address, the threat replaces it with one from an internal list that belongs to cybercriminals. The goal is to hit the cryptocurrency jackpot.

Some security programs are not capable of detecting the threat accurately, which is why security experts prompt users to double-check once an address has been copied. Users must make sure that the address has not been altered.

As long as cryptocurrencies keep getting more popular, we will see these kinds of threats.