ComboJack Trojan Replaces Cryptocurrency Addresses Copied to Windows Clipboard

[Faybert]

Security researchers have discovered a new malware strain that is capable of detecting when users copy a cryptocurrency address to the Windows clipboard. The malware works by replacing this address with one owned by its author.

Named ComboJack, this malware is similar to Evrial and CryptoShuffler. The difference between ComboJack and the two is that ComboJack supports multiple cryptocurrencies, not just Bitcoin.

ComboJack targets multiple cryptocurrencies
According to Palo Alto Networks, ComboJack can detect whenever the user has copied a cryptocurrency address for Bitcoin, Litecoin, Ethereum, and Monero, but also for other digital payment systems such as Qiwi, Yandex Money, and WebMoney (USD and ruble payments).

ComboJack is under active distribution, Palo Alto said today. The company says it detected this malware as the final payload of a malspam campaign targeting Japanese and American users.
.........................
.........................

 

[upnorth]

CVE-2017-8579 is Windows 10 and Windows 2016 server only. Kill/restrict PowerShell seams to be the correct action, again and I'm curious in this specific case if not using Windows built-in clipboard would help as there alot of other options available? Tools like Keyscrambler also comes in mind how ComboJack would react.