Malware Replaces Clipboard Addresses on 300,000 Computers

Researchers have discovered a new malware campaign spreading the ClipboardWalletHijacker program, which intercepts information in the clipboard. So far, this malware has infected over 300,000 computers.

The new malicious campaign was identified by specialists at Qihoo 360, with most victims residing in China.

“The 360 Cybersecurity Center has detected a new malware campaign distributing a program that captures clipboard contents—ClipboardWalletHijacker. The malware monitors clipboard activity to determine if it contains a Bitcoin or Ethereum account address,” the company’s report states.

“When such an address is detected, the malware replaces it with its own, allowing funds to be redirected. More than 300,000 computers have been affected by this malware sample.”

The ClipboardWalletHijacker tactic is not new; for example, the Evrial malware also replaced Bitcoin addresses in the Windows clipboard.

Addresses Used by ClipboardWalletHijacker

Experts have identified several addresses that ClipboardWalletHijacker substitutes for legitimate user addresses:

• BTC: 1FoSfmjZJFqFSsD2cGXuccM9QMMa28Wrn1
• BTC: 19gdjoWaE8i9XPbWoDbixev99MvvXUSNZL
• ETH: 0x004D3416DA40338fAf9E772388A93fAF5059bFd5

Specialists also shared a snippet of code responsible for replacing Ethereum wallet addresses.

Check the Balances of the Criminals’ Addresses

You can view the balances of the addresses belonging to the cybercriminals at the following links:

• https://blockchain.info/address/1FoSfmjZJFqFSsD2cGXuccM9QMMa28Wrn1
• https://blockchain.info/address/19gdjoWaE8i9XPbWoDbixev99MvvXUSNZL
• https://etherscan.io/address/0x004D3416DA40338fAf9E772388A93fAF5059bFd5

In total, the attackers have stolen 0.12434321 BTC—about 800 US dollars.