A new strain of clipboard-hijacking malware has an impressive list of 2.3 million destination Bitcoin addresses for which it monitors. This covers about 10% of the wallets currently in existence.
To explain why this is important, we must first look at how cryptojacking works on this level. A clipboard hijacker typically just takes a snapshot of the victim’s clipboard as soon as it copies something.
Once that information is there, the hijacker has two choices: It could either algorithmically determine whether the user copied a Bitcoin address, as is the case with ClipboardWalletHijacker; or it could simply have a precompiled list of existing Bitcoin addresses that it scans through.
Once either method detects a Bitcoin address, it replaces the data in the clipboard with the hacker’s wallet address. Such malware counts on the oft-encountered absentmindedness of newbie cryptocurrency holders.
Although other clipboard-based malware has been spotted using the list-based method, none so far have even come close to having a list as large as this one.
A skillful hacker would compile only a list of some of the most frequented and largest addresses to scan. However, judging by the addresses we’ve seen, this particular hacker did not make this effort and simply chose to scan inefficiently through a database that may or may not contain a wallet that regularly receives large amounts of BTC.
More impressive than the number of addresses in the list is the way in which the malware behaves to infect a computer.
“When installed, a DLL named d3dx11_31.dll will be downloaded to the Windows Temp folder and an autorun called ‘DirectX 11’ will be created to run the DLL when a user logs into the computer,” Bleeping Computer wrote.
Afterward, the malware depends on rundll32.exe—a Windows system executable—to automatically start it when the computer boots.
Although removing the malware is quite easy, it’s much more difficult to detect in the first place when compared to other strains we’ve seen so far. In the near future, we can expect antivirus software to catch it rather quickly since its signature is pretty easy to find using heuristics.
After all, the hacker made a piece of malware that leaves behind a gargantuan Bitcoin wallet address database. That’s pretty hard for antivirus software not to notice.
This article appeared first on Cryptovest
