Ad Home

New ComboJack Malware Steals Cryptocurrency by Modifying Addresses !

New ComboJack Malware Steals Cryptocurrency by Modifying Addresses !

A new cryptocurrency-stealing malware dubbed as ComboJack has been discovered by Palo Alto Networks Unit 42 and Proofpoint researchers. It has been targeting cryptocurrencies and digital wallets belonging to American and Japanese users while the malware is being distributed via email spam campaign.

Fake Passport Email
The malicious emails contain the subject line “Re: passport…” The attackers trick recipients into opening a PDF attachment that supposedly contains a scanned copy of a passport the recipient has mistakenly left in the email sender’s office. The file does not show the scanned passport image but displays a request to open another file, which is actually an embedded RTF file. This RTF file contains an embedded remote object.

This object attacks an old DirectX flaw (classified as CVE-2017-8579) and loads an HTA script. The script runs a PowerShell script to download the malware. Microsoft DirectX is basically a collection of APIs that manages multimedia related tasks on Windows OS.

After the malware is downloaded, it makes sure that it stays on the device for which it keeps itself hidden from the user. It then creates an infinite loop to keep checking the contents of the clipboard after half a second to assess what sorts of cryptocurrencies the victim has stored on his/her digital wallet.

ComboJack shares similarities with a previously uncovered form of malware, CryptoShuffler, although there's no indication that the two are directly related. Palo Alto Networks told ZDNet there's no indication as to who is behind ComboJack.

As ComboJack relies on exploiting a vulnerability which was patched by Microsoft in September 2017, one way users can avoid becoming a victim is to ensure that their operating system is up to date.

Users can also ensure that they don't fall victim to the malware by being wary of unexpected emails and strange attachments - especially if the message isn't directly addressed to them.

No comments