A new type of infostealing Trojan is reported to aim at the cryptocurrency BitCoin, replacing It’s addresses with malicious ones. The Trojan creates multiple files via obfuscated executables, and it aims to stay concealed for as long as possible on the user PC. Furthermore, Coinbitclip uses multiple third-party BitCoin addresses and may use a different one for every infection. Furthermore, the Trojan most likely has something to do with the notorious game Hearthstone, resembling It’s executables. All users who actively use bitcoins are strongly advised to use an advanced anti-malware protection or use another computer for their financial transactions.
Image sources: Sensorstechforum and Blizzard™
|Short Description||The payload steals and replaces bitcoin addresses.|
|Symptoms||The user may witness unfamiliar files in the %AppData% such as Hearthstone.exe.|
|Distribution Method||Via malicious web links aor attachments.|
|Detection Tool||Download Malware Removal Tool, to See If Your System Has Been Affected by Coinbitclip Trojan|
|User Experience||Join our forum topic about the threat to discuss Coinbitclip Trojan.|
Coinbitclip Trojan – How Does It Spread
An effective way for such type of trojans to spread is via malicious web links posted online. In the situation discovered, by Symantec researchers the game Hearthstone is copied, which means that it may target users via various third-party websites that are Blizzard or Hearthstone related and may insert the trojan via injecting a malicious code on the victim’s computer.
There may be another mean of targeting users on a massive scale. The hackers may send out massively spam emails to users that have registered on a Hearthstone related website. The mails may look like they come from Blizzard themselves and the following messages may be present in them, for example:
- “Click here to restore your password.”
- “Your account has been suspended. Click here for more information.”
- “Incoming files regarding Hearthstone.”
The mail messages might also contain an archived file as an attachment that may have the obfuscated payload of the malware.
One way or another, after it has been executed, according to Symantec researchers, the Trojan may create the following files:
- %User’s Profile%\Application Data\hearthstone\updater.exe
Furthermore, the cyber-threat may create a registry entry for the Hearthstone.exe file to run every time your Windows starts. It is located in the following Windows Registry key:
After setting up nice and comfy on your PC, the Trojan begins to automatically look for any BitCoin addresses that are copied by the user. What the Trojan does is it uses a custom database of many third-party BitCoin addresses to replace them with the currently copied address immediately after detection. What is more, the cyber-threat is smart – it uses the BitCoin address in its database closest to the actual one that has been copied to the clipboard.
This is most likely done with the one and only purpose to steal money when users convert money in bitcoins. The malware may work extremely well with ransomware threats such as TeslaCrypt 3.0 which persuade and scare users to pay for the decryption of their files in BitCoins.
Remove Coinbitclip Trojan from Your PC
Since this cyber-threat may create registry entries on your computer and may use an updater to stay hidden and change the location of the malicious files, it is strongly advisable to methodologically remove this Trojan. To do this, follow the after mentioned instructions.
After the malware has been removed from your computer, you may want to try the following instructive article to renew your Windows Registries: