Evrial Trojan Replaces Cryptocurrency Wallet Addresses in Clipboard

Security experts from MalwareHunterTeam and Guido Not CISSP have discovered that a new trojan called Evrial is being actively advertised and sold on the black market. Like other infostealers, Evrial steals cookies and account credentials from infected machines. However, its creators have also taught it to closely monitor the contents of the Windows clipboard.

Evrial does not steal everything copied to the clipboard. Instead, the trojan waits until a cryptocurrency wallet address or a Steam trade offer URL is copied. As soon as this happens, the malware replaces the wallet address or URL with one belonging to the attackers. The list of supported cryptocurrencies, browsers, and more can be seen in the screenshot from the advertisement.

Currently, researchers have not yet determined exactly how Evrial is being distributed. According to MalwareHunterTeam, the trojan is being sold on Russian-language underground forums for 1,500 rubles. For this price, the buyer gets access to a web panel where they can configure the malware as needed: choose replacement addresses and links, and monitor the swaps already performed by the malware.

When Evrial detects a string suitable for replacement, it contacts a remote server and uploads the string. In response, it receives a new sequence to insert into the user’s clipboard.

But clipboard replacement is not the only function. Evrial also steals data about cryptocurrency wallets (wallet.dat files), saved passwords (especially from browsers like Chrome, Yandex, Orbitum, Opera, Amigo, Torch, and Comodo, as well as passwords stored in Pidgin and Filezilla), documents, and takes screenshots of the victim’s active windows. All this information is packed into a ZIP archive and uploaded to a command-and-control server. The stolen data can be viewed directly from the malware’s control panel.