‘Bitcoin Investment’ phishing campaign delivers clipboard hijacker malware

• A new phishing campaign disguised as ‘Bitcoin Investment Update’ delivers a clipboard hijacker malware in order to steal Bitcoins from victims.
• ‘Task.exe’ clipboard hijacker monitors the Windows Clipboard for bitcoin addresses and if any detected, it will swap it for the bitcoin address owned by the attacker.

What is the issue - A new phishing campaign disguised as ‘Bitcoin Investment Update’ delivers clipboard hijacker malware in order to steal Bitcoins from victims.

The big picture

Researchers from My Online Security detailed the steps taken in this new phishing campaign that delivers clipboard hijackers.

• The phishing emails include malicious JSE file attachment, which is a JavaScript file that contains a Base64 encoded executable.
• Once recipients open the attachment, the JSE file gets executed.
• Once the JSE file is executed, it will decode the Base64 encoded executable file and save it to %Temp%\rewjavaef.exe.
• Once the Base64 file is executed, ‘Task.exe’ file will be saved to %AppData%\svchost.exe\ folder and executed.
• ‘Task.exe’ file is the actual payload, the clipboard hijacker malware that is based on the open source BitPing program.
• A startup file named ‘svchost.exe.vbs’ will be created in the user's Startup folder to ensure the malware starts every time victims logs into Windows.

Why it matters - ‘Task.exe’ clipboard hijacker monitors the Windows Clipboard for bitcoin addresses and if any detected, it will swap it for the bitcoin address (3MSghqkGW8QhHs6HD3UxNVp9SRpGvPkk5W) that is owned by the attacker.

• Since bitcoin addresses are very long and difficult to remember, users usually copy and paste the bitcoin address.
• What this malware does is that it detects the copied bitcoin address in the clipboard and replaces the address with the address owned by the attacker.
• Therefore, when users send bitcoins to the intended address, it would be sent to the address owned by the attacker.

“As cryptocurrency addresses are typically long and hard to remember, attackers understand that when sending bitcoins, most people will copy an address from another page, site, or program. This malware will detect the copied address in the clipboard and replace it with their own in the hopes the victim won't notice the swap,” researchers said.

What should you do to protect yourself?

• Researchers recommend users to never open any email or attachment that come from anonymous senders.
• They recommend users to never run attachments such as JSE, JS, VBS, CMD, PS1, EXE, and BAT files that could execute commands on computers.