A team of researchers from Kaspersky Lab has revealed a new campaign aimed at stealing cryptocurrencies. According to the company, cybercriminals use the CryptoClipper Trojan, which is distributed on third-party Internet resources under the guise of the Tor browser. When it enters the system, the program disguises itself as the icon of a popular application, for example, uTorrent, and registers itself in autorun. As soon as the clipper malware finds an address in the clipboard that looks like a crypto wallet, it immediately changes it to one of the addresses belonging to the attacker.
More than 15,000 users from 52 countries encountered the malicious campaign, with most of the attacks recorded in Russia. The US, Germany, Uzbekistan, Belarus, China, the Netherlands, the UK and France also made it into the top ten countries in terms of the number of victims.
According to experts, in 2023, more than $400,000 worth of cryptocurrencies were stolen with the help of malware. In addition, the clipper is able to replace the addresses of Bitcoin, Ethereum, Litecoin, Dogecoin and Monero crypto wallets.
According to the company, the clipper malware is dormant most of the time, making it hard to spot in the system. Most malware requires a communication channel between the operator and the victim's system, but CryptoClipper operates without communication and is completely autonomous. Thus, such programs can stay in the user's system for years, without showing signs of presence, until they reach the goal - to change the address of the victim's crypto wallet.