CryptoShuffler – the malware that stole $140,000 in bitcoin savings

- Adrian Ungureanu

‘Mining’ euphoria is taking over the cyberworld, with people across the globe successfully exploiting the trend in order to generate digital money for themselves. Not mining yet? Well, you might soon be joining the swathes of users who have realized that making cryptocurrency is the new gold…

But just imagine – you successfully invest and become the owner of an online mining farm. You invest more into its maintenance, including electricity costs, and your blocks now generate digital money every day. What’s next? You’d probably like to spend your earnings, convert coins into real hard cash or transfer them to another online wallet…

But once your transactions are confirmed, what if your money goes the wrong way? Due to the unregulated and decentralized cryptocurrency market, there is no chance of recovering your hard-earned money if this happens to you. It’s lost. And, it’s likely that if this has happened to you it’s because your PC has been infected by specific malware. You’ve become the latest victim of ‘crypto’ stealers, an increasing threat according to Kaspersky Lab’s findings.

Crypto stealers were first detected in the wild several years ago. However, following the recent boom in cryptocurrency across the global markets, they are now coming back, and once again putting users’ savings at risk. Investigating the topic, Kaspersky Lab researchers have discovered a new malware – the CryptoShuffler Trojan. This malware has been designed specifically for cryptocurrency theft, and works by attacking users when they are copying and pasting destination wallet numbers during payment transactions.

So-called “clipboard hijacking” attacks like this have been previously seen in the wild, targeting online payment systems. However, experts believe cases involving a cryptocurrency host address are currently rare.

According to Kaspersky Lab’s research, a CryptoShuffler Trojan creator has already been operating for a year, targeting a wide range of most popular cryptocurrencies such as Bitcoin, Ethereum, Zcash, Dash, Monero and others. The peak in this criminal’s activity was the end of last year, followed by a quiet period, which lasted until June 2017. To date, a criminal have already succeeded in attacking Bitcoin wallets, stealing 23 BTC, equivalent to almost 140,000 USD. The total amounts stolen from other wallets range from a few dollars to several thousand.

In most cryptocurrencies, if one user wants to transfer crypto coins to another, they need to know the recipient’s wallet ID – a unique multi-digit number.

This is how the CryptoShuffler malware exploits the use of these numbers:
CryptoShuffler’s mechanism is very simple and effective. After running, the Trojan starts to monitor the infected device’s clipboard. Users utilize this software facility when making a payment: they copy wallet numbers and paste these into the “destination address” line in the software they are using to make their transaction. But the Trojan replaces the user’s wallet address with one owned by the malware creator. So, when the user pastes the wallet ID to the destination address line, it is already not the address they originally intended to send money to. As a result, the victim transfers their money directly to criminals – with only the most attentive users spotting the swap.

The Trojan’s ability to replace a destination literally takes milliseconds. It is possible because it’s so simple to search for wallet addresses – the majority of cryptocurrency wallet addresses have the same beginning and certain number of characters. Thus, intruders can easily create regular codes to replace them.

With this trick, criminals are exploiting users’ lack of attention. When making a payment, users do not usually check their multi-digit numbers. Moreover, the wallet addresses in blockchain are complicated and very difficult to remember. Users don’t pay much attention to checking any distinctive features in the transaction line, even if it is directly in front of their eyes, and even if a slight change could cost them a lot.

How can you protect from these hacks
Is there any way to keep your crypto savings safe and not top up the criminals’ wallets? The simple and free method is to pay close attention during transactions, and always check the wallet number listed in the ‘destination address’ line against the one you are intending to send your coins to. You should also be aware that there is a difference between an invalid address and an incorrect address. In the first case, the error will be detected and the transaction won’t be completed. In the latter, you will never see your money again.

Another way to stay protected is to install a security solution, like the Safe Money feature in flagship Kaspersky Lab solutions. This scans for vulnerabilities that are known to be exploited by cybercriminals, constantly checks for specialized malware, guards transactions from intrusion with help of Protected Browser technology and what’s more, it specifically protects the clipboard where sensitive data could be stored briefly during copy/paste operations.