A new cryptocurrency-stealing malware dubbed as ComboJack has been discovered by researchers. It has been targeting cryptocurrencies and digital wallets belonging to American and Japanese users while the malware is being distributed via email spam campaign.
The malicious emails contain the subject line “Re: passport…” The attackers trick recipients into opening a PDF attachment that supposedly contains a scanned copy of a passport the recipient has mistakenly left in the email sender’s office. The file does not show the scanned passport image but displays a request to open another file, which is actually an embedded RTF file. This RTF file contains an embedded remote object.
This object attacks an old DirectX flaw (classified as CVE-2017-8579) and loads an HTA script. The script runs a PowerShell script to download the malware. Microsoft DirectX is basically a collection of APIs that manages multimedia related tasks on Windows OS.
After the malware is downloaded, it makes sure that it stays on the device for which it keeps itself hidden from the user. It then creates an infinite loop to keep checking the contents of the clipboard after half a second to assess what sorts of cryptocurrencies the victim has stored on his/her digital wallet.
ComboJack replaces clipboard addresses to upload an attacker-operated address. Funds are then transferred to the attacker’s wallet instead of their actual address. The attack method relies upon the same tactic that was used by CryptoShuffler malware (identified in 2017). It also benefitted from victims’ ignorance in cross-checking the destination wallet address prior to making funds transfer.
However, one feature that differentiates ComboJack from CryptoShuffler is that the latter only stole Bitcoin while the recent one targets a broad range of currencies apart from attacking Bitcoin wallets such as Ethereum, Litecoin, and Monero and also targets funds transferred through Qiwi, Yandex Money, and WebMoney. Perhaps that’s why researchers have dubbed the malware as ComboJack since it can steal funds in multiple cryptocurrencies.