New Clipper Malware Targets Portuguese Cryptocurrency Users


April 05, 2023Ravie LakshmananCyber/Malware Threats

Clippers Malware

Portuguese users are targeted by new malware with code names CryptoClippy who was able to steal cryptocurrency as part of a malvertising campaign.

The activity leverages SEO Poisoning techniques to lure users searching for “WhatsApp web” to a rogue domain hosting malware, Palo Alto Networks Unit 42 said in a new report published today.

CryptoClippy, a C-based executable, is a type of cryware known as clipper malware that monitors a victim’s clipboard for content matching cryptocurrency addresses and replaces them with wallet addresses under the control of a threat actor.

“The clipper malware uses regular expressions (regexes) to identify what type of cryptocurrency is associated with the address,” said Unit 42 researchers.

“It then replaces the clipboard entry with a visually similar but adversary-controlled wallet address for the corresponding cryptocurrency. Then, when the victim pastes the address from the clipboard to perform the transaction, they actually send the cryptocurrency directly to the threat actor.”

Clippers Malware

The illicit scheme is estimated to have netted its operators about $983 so far, with victims found in the manufacturing, IT services, and real estate industries.

It should be noted that the use of poisoned search results to deliver malware has been adopted by threat actors associated with GootLoader malware.


Learn to Secure Identity Perimeter – A Proven Strategy

Improve your business security with our upcoming cybersecurity webinar led by our experts: Explore the Identity Perimeter strategy!

Don’t Miss It – Save Your Seat!

Another approach used to determine suitable targets is the traffic redirection system (TDS), which checks whether the preferred browser language is Portuguese and if so, redirects the user to a bogus landing page.

Users who do not meet the required criteria are redirected to the legitimate WhatsApp Web domain without further malicious activity, thus avoiding detection.

The findings arrived days after SecurityScorecard detailed an information thief being called out Lumma which is capable of harvesting data from web browsers, cryptocurrency wallets, and various applications such as AnyDesk, FileZilla, KeePass, Steam, and Telegram.

Found this article interesting? Follow us on Twitter And LinkedIn to read more exclusive content we post.


Source link

Related Articles

Back to top button