Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove Coinbitclip Hearthstone Trojan Completely

SensorsTechForum-Komprogo-backdoor-trojan-horse-malware-ransomware-spreadA new type of infostealing Trojan is reported to aim at the cryptocurrency BitCoin, replacing It’s addresses with malicious ones. The Trojan creates multiple files via obfuscated executables, and it aims to stay concealed for as long as possible on the user PC. Furthermore, Coinbitclip uses multiple third-party BitCoin addresses and may use a different one for every infection. Furthermore, the Trojan most likely has something to do with the notorious game Hearthstone, resembling It’s executables. All users who actively use bitcoins are strongly advised to use an advanced anti-malware protection or use another computer for their financial transactions.

Image sources: Sensorstechforum and Blizzard™

NameCoinbitclip Trojan
TypeInfostealer Trojan
Short DescriptionThe payload steals and replaces bitcoin addresses.
SymptomsThe user may witness unfamiliar files in the %AppData% such as Hearthstone.exe.
Distribution MethodVia malicious web links aor attachments.
Detection ToolDownload Malware Removal Tool, to See If Your System Has Been Affected by Coinbitclip Trojan
User Experience Join our forum topic about the threat to discuss Coinbitclip Trojan.

Coinbitclip Trojan – How Does It Spread

An effective way for such type of trojans to spread is via malicious web links posted online. In the situation discovered, by Symantec researchers the game Hearthstone is copied, which means that it may target users via various third-party websites that are Blizzard or Hearthstone related and may insert the trojan via injecting a malicious code on the victim’s computer.

There may be another mean of targeting users on a massive scale. The hackers may send out massively spam emails to users that have registered on a Hearthstone related website. The mails may look like they come from Blizzard themselves and the following messages may be present in them, for example:

  • “Click here to restore your password.”
  • “Your account has been suspended. Click here for more information.”
  • “Incoming files regarding Hearthstone.”

The mail messages might also contain an archived file as an attachment that may have the obfuscated payload of the malware.

One way or another, after it has been executed, according to Symantec researchers, the Trojan may create the following files:

  • %AppData%\Blizzard\Hearthstone.exe
  • %User’s Profile%\Application Data\hearthstone\updater.exe

Furthermore, the cyber-threat may create a registry entry for the Hearthstone.exe file to run every time your Windows starts. It is located in the following Windows Registry key:

  • “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”

After setting up nice and comfy on your PC, the Trojan begins to automatically look for any BitCoin addresses that are copied by the user. What the Trojan does is it uses a custom database of many third-party BitCoin addresses to replace them with the currently copied address immediately after detection. What is more, the cyber-threat is smart – it uses the BitCoin address in its database closest to the actual one that has been copied to the clipboard.

This is most likely done with the one and only purpose to steal money when users convert money in bitcoins. The malware may work extremely well with ransomware threats such as TeslaCrypt 3.0 which persuade and scare users to pay for the decryption of their files in BitCoins.

Remove Coinbitclip Trojan from Your PC

Since this cyber-threat may create registry entries on your computer and may use an updater to stay hidden and change the location of the malicious files, it is strongly advisable to methodologically remove this Trojan. To do this, follow the after mentioned instructions.

1. Boot Your PC In Safe Mode to isolate and remove Coinbitclip Trojan
2. Remove Coinbitclip Trojan with SpyHunter Anti-Malware Tool
3. Back up your data to secure it against infections by Coinbitclip Trojan in the future
Optional: Using Alternative Anti-Malware Tools

After the malware has been removed from your computer, you may want to try the following instructive article to renew your Windows Registries:

Fix Windows Registry Errors Caused by Malware

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.