which as mentioned earlier is the name of a legitimate crypto tool. The decoded value was EjUdI0I8AS0EQS4rOiJfAiM=: crypto clip watcher. Figure 3: Code to decrypt/decodeĮven the file’s original filename was seen as base64 encoded and XOR encrypted. Figure 3 depicts this decryption process. Then the decoded string is XORed with the decoded key. First the encrypted string and a key ( ‘ UUdkUzZTQkFtMXlKTkE3Zw=’) is decoded in base64 format. The malware uses a simple decryption logic for all its encrypted data. Figure 2: Digital Certificate information The file is also signed with a fake digital certificate as shown Figure 3. Legitimate svchost.exe file would be Microsoft Visual C++ 8 compiled, and not. This file’s version information and the internal name was spoofed to be like svchost.exe. NET compiled Figure 1: Version info of the malware
We found one such malware that had the filename CryptoClipWatcher.exe, probably trying to pose as the safe CryptoClipWatcher tool. This malware could be spammed out via the traditional e-mail attachment technique too.
Hence spamming out CryptoClip hijacker malware to Discord servers that discuss crypto trading, mining would mean the malware reaches people who are actively dealing with crypto currency.Īn unsuspecting user could download and execute these binaries. Discord is one of the ways to stay in touch with people of a common interest. In this blog, we will be looking at one such CryptoClip hijacker malware, that was generally seen to be spammed out via Discord. The victim is left with no knowledge of the theft happening. One of the common techniques is to scrape the clipboard for wallet addresses and replace them with that of the attacker’s own address. Thinner profit margins from mining makes stealing the coins from wallets more lucrative. Stealing crypto-currency is not new to threat actors.
0 kommentar(er)
