Portuguese users should be wary of CryptoClippy, a new form of malware targeting them in a malvertising campaign. This malware is capable of stealing cryptocurrency if unsuspecting users are not careful.
CryptoClippy
CryptoClippy is malware that operates as a cryptocurrency clipper. The primary function of this malicious software is to monitor the victim’s clipboard and to recognize instances where the victim copies a cryptocurrency wallet address. Once identified, the malware replaces the copied wallet address with the attacker’s.
“It then replaces the clipboard entry with a visually similar but adversary-controlled wallet address for the appropriate cryptocurrency. Later, when the victim pastes the address from the clipboard to make a transaction, they are actually sending cryptocurrency directly to the threat actor.”
Another approach used to determine suitable targets is a traffic direction system (TDS), which checks whether the preferred language of browser is Portuguese and if so, it takes the user to a rogue landing page.
Indicators of Compromise
7db350f9ec3adb2b7f9a3e9e58c69112b5a7e2ed0337a1c4ac55c9a993116f5c
15f9645e5621e87c96aa6c3497dde36ba83ec80d5f8f43c7cd809e8a636444e5
096983764a75f1c0bab73dd2dea8b1e035ec1a03399fab97c71349a26856b759
f22683e9d2a6e72b3149ef1f26392a1e080ae5f2f004543f2a45732eb78d1e98
c6c486800bcc9d935931c2c6fbde031942d288a124a60beb1e5d38949105b2ad
b6ab39b49d7d5752dbdade697a76e96d518b1b2df00c344772782c8f5950361e
766d25d37210ddc3f1afa84e597b3acdbf6dfb0917451f4a344ca5e570adb063
c88c98930181b6038a0565d9bc08ece16995ecbb01821eee6c5dd3772db694f8
5a1ce64e4fa19531a3222554bbe99aa6aeadb639d51b2a308648cb6e0fa55c05
89d7c8c7846068c4f618f80d18944f2fcf47cbebe7390d73c1f16ef0ed48d90b
- tunneldrive[.]com – 104[.]21.7.130:80
- mydigitalrevival[.]com – 172[.]67.160.80:80
- hollygap[.]com – 172[.]67.134.21:443, 104[.]21.5.250:443
- yogasmob[.]com
- preflightdesign[.]com
- pickconferences[.]com
Leave A Comment