In what may prove to be a world first security researcher’s at ESET discovered a piece of clipper malware which replaces victims Bitcoin and Ethereum wallet addresses with the attackers own. Clipper malware, often also referred as a clipboard hijacker, is designed to access the computer’s data buffer, commonly referred to as the clipboard, for anything that resembles a cryptocurrency wallet address. If such an address is found those addresses are removed and replaced with the attackers in the hope that the victim will transfer funds to the attacker's address. Given that wallet addresses are long and far from easily recalled from memory clippers are proven a low tech but effective means of stealing from victims.
Detected as Android/Clipper.C by ESET researchers, the malware masquerades as the legitimate service MetaMask in order to trick users to download the malware. These malware strains have not been seen in large amounts targeting mobile devices. Rather, the majority of instances have been seen infecting desktop devices. They are still incredibly new malware with Windows PC’s seen infected in the wild in 2017. It arrived on Android in 2018 but only on non-official app stores, known for distributing various malware variants to those not using official app stores that have a level of protection. That was until February 1, 2018, when researchers discovered the clipper on Google Play Store, Android’s official app store.
In the report published by ESET researchers pointed out the intended victims of this malware are users of the mobile version of MetaMask, a service designed to run Ethereum decentralized apps in a browser, without having to run a full Ethereum node. It is important to note that MetaMask only offers only add-ons for desktop browsers such as Chrome and Firefox, but no mobile application. This lack of a mobile application presented cybercriminals with an opportunity to trick users into believing they are legitimate programs for the service by being a natural evolution of modern programs to provide mobile apps.
According to ESET, the clipper is only one of the malicious software impersonating MetaMask that was found in Google Play and possibly the first. Previously discovered malware, however, was phishing for sensitive information, attempting to take over the victims’ crypto-currency wallets rather than just replacing a wallet address. To stay protected, users are advised to always check the official website of the app developer or service provider for a link to the official app, to make sure they download and install legitimate software. Users should also double-check every step in all transactions that involve valuables, regardless of whether sensitive information or money, especially when using the clipboard (in which case, they should make sure the pasted content is the same as the copied one. Further by keeping your device up to date will further help prevent such infections.
Coin Miners Still Been Distributed
It is not only clippers that users and particularly those invested in cryptocurrency need to be aware of. Recently security researchers at TrendMicro discovered a new coin miner infecting Linux systems. For many researchers the distribution of coin miners were the majority of malware detections in 2018. The latest miner is very similar to KONKERDS, discovered in November 2018, in terms of code. As part of the attack, an initial script is served to the intended target to delete a number of known Linux malware variants like coin miners, and connections to other miner services and ports, and then download the mining binary. While similar to KONKERDS the new miner, detected by TrendMicro as Coinminer.Linux.MALXMR.UWEIU, actively targets the KORKERDS miner and the rootkit component, deleting the components of the very malware it copied the code from.
The script also downloads a modified version of the crypto-currency mining malware XMR-Stak, a universal Stratum pool miner capable of leveraging both CPU and GPU power to mine for Cryptonight currencies. The infection, Trend Micro’s researchers say, started from some IP cameras and web services via TCP port 8161, where the attacker tries to upload a crontab file that downloads and runs a shell script as a JPG image. The script then kills previously installed malware, coin miners, and all related services referenced to an accompanying malware, and also creates new directories, files, and stop processes with connections to identified IP addresses. Next, the script downloads the coin miner code and another script and then creates a new crontab to call the script at 1 a.m. It also downloads the shell script itself (the JPG file) and puts it in different crontabs. A crontab, short for Cron Table, is a file which contains the schedule of cron entries to be run and at specified times with a cron being a daemon which runs at the times of system boot from /etc/init.d scripts. If needed it can be stopped, started, or restart using init script or with command service crond start in Linux systems. By downloading the coin miner code and creating a new crontab that calls at 1 a.m. the attackers are helping ensure the malware persists on the victim's system and remain undetected.
TrendMicro concluded that,
“While a malware routine that includes the removal of other malware in the system is not new, we’ve never seen the removal of Linux malware from the system on this scale. Removing competing malware is just one way cybercriminals are maximizing their profit. Enterprises can protect themselves from various kinds of evolving attacks by making sure their systems have downloaded the latest patches released by legitimate vendors. Cryptocurrency-mining malware or coin miners use CPU and GPU resources, making systems run slowly. Having a multilayered protection system in place helps IT administrators immediately detect, prevent, and resolve malware infections such as coin miners and stops them from affecting the network and hindering regular enterprise operations.”