Malware has infected tens of thousands of users to take over their devices to mine and try to steal crypto — but it only ended up bagging around $6,000.
Cybersecurity firm Doctor Web reported on Oct. 8 that it detected malware disguising itself as legitimate software, such as office programs, game cheats, and online trading bots.
The cryptojacking and stealing software infected over 28,000 users, mainly in Russia but also in Belarus, Uzbekistan, Kazakhstan, Ukraine, Kyrgyzstan, and Turkey.
The hackers were only able to get hold of about $6,000 worth of crypto, according to Doctor Web. However, it’s unknown how much the malware’s creator may have earned from crypto mining.
The cybersecurity firm said that the sources of the malware included fraudulent GitHub pages and YouTube video descriptions with malicious links.
Once a device is infected, stealthily deployed software hijacks computing resources to mine crypto.
A “Clipper” also monitors crypto wallet addresses users copy onto their device’s clipboard, and the malware replaces it with addresses controlled by the attacker — which is how they swiped a small crypto haul.
Malware attack chain. Source: Doctor Web
The malware uses sophisticated techniques to avoid detection, including password-protected archives to bypass antivirus scans, disguising malicious files as legitimate system components, and using legitimate software to execute malicious scripts.
In September, crypto exchange Binance warned about the Clipper malware noting a spike in activity in late August, “leading to significant financial losses for affected users.”
Doctor Web said many of the malware victim’s devices were compromised “by installing pirated versions of popular programs” and recommended only installing software from an official source.
Clipboard-changing malware has been around for years and was particularly prominent after the 2017 crypto bull market.
These types of malware programs have become more sophisticated, often combining clipboard jacking with other malicious functions.
In September, threat intelligence firm Facct reported that malicious actors and scammers were exploiting email auto-replies to spread crypto mining malware.
Magazine: $55M DeFi Saver phish, copy2pwn hijacks your clipboard: Crypto Sec