According to a new Kaspersky report, threat actors have been using Trojanized installers of the TOR anonymity browser to target users in Russia and Eastern Europe with clipper malware since September last year. This malware is designed specifically to siphon cryptocurrencies, and has the ability to remain undetected for years. The attack in question is a clipboard hijacking, and this type of malware is usually called “clipper malware“.
Clipper malware, also known as a clipboard injector, has been a threat for several years. This malicious software is capable of corrupting the data that is stored in the clipboard, allowing it to be altered or even sent to the server operated by the attacker. The attack Kaspersky reported relies on malware replacing part of the clipboard contents once it detects a wallet address in it.
Clipper Malware Attacks on the Rise
Recently, Kaspersky technologies have identified a malware development involving Tor Browser, a tool often used to browse the deep web, being downloaded from a third-party source in the form of a password-protected RAR archive. The password is likely meant to keep security solutions from detecting the file, and once it is dropped into the user’s system, it registers itself in the auto-start and masquerades itself with an icon of a popular application such as uTorrent.
This malware has been used to target cryptocurrencies like Bitcoin, Ethereum, Litecoin, Dogecoin, and Monero, resulting in more than 15,000 attacks across at least 52 countries. Russia has been hit the hardest due to Tor Browser being blocked in the country, while the United States, Germany, Uzbekistan, Belarus, China, the Netherlands, the United Kingdom, and France make up the top 10 countries affected. Current estimates put the total loss of users at least US$400,000, though it is likely much higher due to attacks not involving Tor Browser being unaccounted for.
More about the Recently Detected Clipper Malware
This installer contains a passive, communicationless clipboard-injector malware that is protected using the Enigma Packer v4.0. The authors of this malware may have used a cracked version of the packer, as it lacks any license information.
The payload of this malware is quite straightforward: it integrates into the Windows clipboard viewer and receives notifications when the clipboard data is changed. If the clipboard has any text, it scans the contents using a set of embedded regular expressions. Should a match be found, it is replaced with a randomly chosen address from a hardcoded list.
“Among the roughly 16,000 detections, the majority were registered in Russia and Eastern Europe. However, the threat spread to at least 52 countries worldwide,” Kaspersky researchers said.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: