CryptoShuffler Trojan Malware Identified by Kaspersky

Illustration of arrow shape wordcloud tag malware trojan

Kaspersky researchers spot malware that hijacks a user’s clipboard and replaces the copied cryptocurrency wallet address with that of its creator.

As Bitcoin hits an all-time high of $7,500 and analysts make predictions that it might surge to $10,000 in early 2018, cryptocurrency hackers are coming up with more innovative ways to steal from users’ digital wallets.

When considering how coin-mining malware and other crypto attacks work, it’s easy to imagine of complex pieces of malicious code that only computer scientists can understand.

However, the reality is that the software designed to steal cryptocurrency is quite different from this mystical version.

Security researchers have recently discovered one such malware dubbed the Cryptoshuffler Trojan, which attackers used to steal 23 BTC from wallets; worth over $160,000 at the current exchange rate.

According to a report by Kaspersky Lab experts, the malware uses a clipboard hijacking technique, a method previously used to compromise online payment systems but not cryptocurrencies.

The malware switches the copied user address with that of its developer’s wallet.

The malware has been in operation for about one year, targeting big digital currency names like Ethereum, Bitcoin, Monero, Litecoin, Dash, Zcash, and other cryptocurrencies.

How the Cryptoshuffler Trojan Works

Despite how old the clipboard hijacking method of digital theft is, it has never been used on cryptocurrencies to a serious level until recently.

The Cryptoshuffler malware enters computers as a harmless software download.

Once the malware is on your device, it resides in the computer’s memory where it quietly monitors and analyzes all clipboard processes—the temporary storage location for copy, cut and paste operations.

Upon recognizing a cryptocurrency wallet address, the malware intercepts the copied wallet ID and replaces it with that of the attackers.

As a result, victims irretrievably transfer their coins directly to the attacker unless the user is attentive to spot the immediate replacement.

Kaspersky’s security experts explained how easily the Trojan-Banker.Win32.CryptoShuffler.gen successfully compromises the original transaction.

Security concept, antivirus found trojan malware thread when scanning binary code.

As Bitcoin hits an all-time high of $7,500 and analysts make predictions that it might surge to $10,000 in early 2018, cryptocurrency hackers are coming up with more innovative ways to steal from users’ digital wallets.

This is because many users find it easy to copy and paste the recipient’s digital wallet ID into the transaction fields rather than struggling to remember the entire address string then writing it down.

Again, while most Bitcoin transactions are one-way and the recipient doesn’t need to confirm the transaction, senders do not take time to ascertain whether the unique multi-digit destination address was pasted correctly.

As Kaspersky Lab researchers noted, the entire process takes milliseconds. The Cryptoshuffler keeps a low profile and operates stealthily.

In fact, users do not see any random pop-ups, messages or performance degradation on an infected smartphone or computer.

It is by exploiting day-to-day user behavior rather than operating system or network level actions that the attackers were able to remain undetected and enjoy greater success.

Cryptoshuffler had its peak activity at the end of 2016, followed by a hiatus but then reawakened in June 2017 when the attackers enjoyed the skyrocketing Bitcoin prices, stealing hundreds to thousands of dollars from Bitcoin investors.

Protect Your Wallet

The Kaspersky Lab report noted there has been an increase in malware attacks and other exploits targeting different cryptocurrencies.

Lately, cybercriminals are coming up with new cryptocurrency malware attacks that will help them cash in the high-value digital coins for free.

They are also using less noticeable methods to ensure they steal from users without being detected.

The trend is expected to continue growing, potentially advancing to a wide range of blockchain technology services.

With the rising popularity of cryptocurrencies and their widespread mass adoption in the corporate world, it is time that people who are venturing into cryptocurrency investments ensure they have proper protection.

Kaspersky Lab advises cryptocurrency investors to protect themselves by using an up-to-date antivirus software, keeping their passwords protected and ensuring their coins are as far offline as possible.

Additionally, users can protect their investments from the Cryptoshuffler Trojan by paying close attention and confirming the wallet ID in the destination address line before making payments.

It will be difficult for users to lose their money if they check the transaction address to ensure it is correct.

For further protection, cryptocurrency investors should remain vigilant and use security features that scan for similar malware vulnerabilities and block their actions.

As Bitcoin hits an all-time high of $7,500 and analysts make predictions that it might surge to $10,000 in early 2018, cryptocurrency hackers are coming up with more innovative ways to steal from users’ digital wallets.

When considering how coin-mining malware and other crypto attacks work, it’s easy to imagine of complex pieces of malicious code that only computer scientists can understand.

However, the reality is that the software designed to steal cryptocurrency is quite different from this mystical version.

Security researchers have recently discovered one such malware dubbed the Cryptoshuffler Trojan, which attackers used to steal 23 BTC from wallets; worth over $160,000 at the current exchange rate.

According to a report by Kaspersky Lab experts, the malware uses a clipboard hijacking technique, a method previously used to compromise online payment systems but not cryptocurrencies.

The malware switches the copied user address with that of its developer’s wallet.

The malware has been in operation for about one year, targeting big digital currency names like Ethereum, Bitcoin, Monero, Litecoin, Dash, Zcash, and other cryptocurrencies.

How the Cryptoshuffler Trojan Works

Despite how old the clipboard hijacking method of digital theft is, it has never been used on cryptocurrencies to a serious level until recently.

The Cryptoshuffler malware enters computers as a harmless software download.

Once the malware is on your device, it resides in the computer’s memory where it quietly monitors and analyzes all clipboard processes—the temporary storage location for copy, cut and paste operations.

Upon recognizing a cryptocurrency wallet address, the malware intercepts the copied wallet ID and replaces it with that of the attackers.

As a result, victims irretrievably transfer their coins directly to the attacker unless the user is attentive to spot the immediate replacement.

Kaspersky’s security experts explained how easily the Trojan-Banker.Win32.CryptoShuffler.gen successfully compromises the original transaction.

This is because many users find it easy to copy and paste the recipient’s digital wallet ID into the transaction fields rather than struggling to remember the entire address string then writing it down.

Again, while most Bitcoin transactions are one-way and the recipient doesn’t need to confirm the transaction, senders do not take time to ascertain whether the unique multi-digit destination address was pasted correctly.

As Kaspersky Lab researchers noted, the entire process takes milliseconds.

The Cryptoshuffler keeps a low profile and operates stealthily.

In fact, users do not see any random pop-ups, messages or performance degradation on an infected smartphone or computer.

It is by exploiting day-to-day user behavior rather than operating system or network level actions that the attackers were able to remain undetected and enjoy greater success.

Cryptoshuffler had its peak activity at the end of 2016, followed by a hiatus but then reawakened in June 2017 when the attackers enjoyed the skyrocketing Bitcoin prices, stealing hundreds to thousands of dollars from Bitcoin investors.

Protect Your Wallet

The Kaspersky Lab report noted there has been an increase in malware attacks and other exploits targeting different cryptocurrencies.

Lately, cybercriminals are coming up with new cryptocurrency malware attacks that will help them cash in the high-value digital coins for free.

They are also using less noticeable methods to ensure they steal from users without being detected.

The trend is expected to continue growing, potentially advancing to a wide range of blockchain technology services.

With the rising popularity of cryptocurrencies and their widespread mass adoption in the corporate world, it is time that people who are venturing into cryptocurrency investments ensure they have proper protection.

Kaspersky Lab advises cryptocurrency investors to protect themselves by using an up-to-date antivirus software, keeping their passwords protected and ensuring their coins are as far offline as possible.

Additionally, users can protect their investments from the Cryptoshuffler Trojan by paying close attention and confirming the wallet ID in the destination address line before making payments.

It will be difficult for users to lose their money if they check the transaction address to ensure it is correct.

For further protection, cryptocurrency investors should remain vigilant and use security features that scan for similar malware vulnerabilities and block their actions.

Leave a Reply