2.3M crypto addresses at risk due to Clipboard malware

Crypto enthusiasts, you’ve been warned. A technical support site, Bleeping Computer (BC), is sending a loud message to users to double-check cryptocurrency wallet addresses before sending transactions due to a serious issue with a particular piece of malware. The malware is able to redirect transactions and its creators are said to now be monitoring over two million cryptocurrency addresses.

According to a notice on the company’s website, the malware is able to monitor Windows Clipboard to check for crypto wallet addresses. BC founder and computer forensics scientist Lawrence Abrahams explained, “This type of malware, called CryptoCurrency Clipboard Hijackers, works by monitoring the Windows clipboard for cryptocurrency addresses, and if one is detected, will swap it out with an address that they control.”

BC also indicated that the malware could be monitoring up to 2.3 million addresses, all of which are at risk of being replaced by addresses that are controlled by the hackers. The malware sits in the background with no evidence that it is running, making it extremely difficult to know that a computer has been infected.

“…[It] is important to always have an updated antivirus solution installed to protect you from these types of threats. It is also very important that all cryptocurrency users to double-check any addresses that they are sending cryptocoins to before they actually send them,” said Abrahams.

The Windows Clipboard malware has been seen in the past. However, it now is making a comeback and spreading deeper. This latest version was hidden in an executable called ‘All-Radio 4.27 Portable.’ The actual program is legitimate; however, the malware authors copied it and created a fake version that includes the virus. After the application is installed, a DLL file called d3dx11_31.dll is downloaded to the Windows Temp folder and another file called ‘DirectX 11’ is queued to run the DLL as soon as a user logs onto the computer.

A video on how the infection works can be found on YouTube. While it is possible to remove the infection, the process is not an easy one and could require specialized technical assistance to ensure that all traces of the malware are removed from an infected machine.