New email-based malware dubbed as ComboJack is targeting Japanese and American web surfers to steal cryptocurrency during transactions. Once installed and lurking in the background, the malware grabs the victim’s long cryptocurrency wallet address stored in the Windows clipboard. Due to their extreme length, many users simply copy and paste that string of characters, and that is when ComboJack attacks. 

Discovered by researchers at the Palo Alto Networks, it’s a variant of a cryptocurrency stealer called CryptoJack. It grabs the address of a victim’s cryptocurrency wallet coped to the clipboard and replaces it with the address of the hacker’s wallet. Thus, victims believe they are transferring digital currency to their personal virtual wallets when instead they’re unknowingly pasting a different destination into the transaction prior to completion. 

CryptoShuffler was the first malware to use this stealing agent in 2017, but solely focused on Bitcoin. In 2018, ComboJack arrives to target not only Bitcoin investors, but Ethereum, Litecoin, Monero, and many other digital currencies. But the route this malware takes can be avoided by simply not opening an emailed attachment from untrusted sources.  

According to the report, victims receive emails regarding a lost passport. The shady message requests that the victim view an attachment that’s supposedly a scanned passport in a PDF format for identification purposes. But once victims open the PDF, they are presented with a single line to open an embedded document. Inside this secondary file is an embedded remote object that attacks a security hole in Windows. 

“An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory,” Microsoft’s database states. “An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” 

The embedded remote object downloads a two-part file, one part containing a self-extracting executable, and a second part containing password-protected components to create and install the final payload: ComboJack. The malware then uses a built-in Windows tool to give it system-level privileges, edits the registry to make sure it remains running in the background and enters into an infinite loop. ComboJack then checks the system clipboard every half second for a cryptocurrency wallet address. 

So why aren’t cryptocurrency users simply manually entering their wallet addresses? Because it’s a pain. Ethereum addresses are 42 characters long while Bitcoin uses 34 characters. The longest is likely Monero, which relies on addresses with characters counts between 95 and 106. This is why users typically copy and paste their addresses, which serves as a virtual gold mine for hackers. 

While the suggestion of manually entering addresses during transactions is out of the question, opening files attached to emails sent from unknown parties is an extremely bad idea. In this case, the big clue starts with the actual poorly written message along with its suspicious attachment. But even after opening the PDF, the request to open another file should be another huge red flag.