This sneaky hijack malware replaces your crypto addresses with lookalikes
>
A brand new clipper malware has been found that takes cryptocurrency theft to a whole new level, researchers claim.
Clippers are a known security threat because they are malware variants that monitor the clipboard of a Windows-powered endpoint (opens in new tab), and when they see that a user has copied a cryptocurrency wallet address to the clipboard, they will replace it with an attacker’s address. That way, when the victim sends their money, they are essentially sending it to a wallet belonging to the attackers.
But the attack is quite easy to spot, especially for more security-conscious users (which crypto users generally are) – all it takes is a cross-reference to a few characters between the copied address and the pasted address, to see whether they match. Usually users would check the last few characters.
Generate countless addresses?
That’s exactly the security measure the new Laplas Clipper aims to eliminate, and it does so by generating addresses that are seemingly identical to the authentic ones.
How exactly Laplas does this is not yet clear, Cyble researchers said, as the process takes place on the attacker’s server and crypto addresses are sometimes a string of more than 40 characters.
One of the possible answers is that the malware operators have generated countless addresses in advance, and the tool only uses the one that is most similar to the authentic one at the moment.
When BleepingComputer put the clippers to the test, it came with mixed results. While bitcoin addresses matched the first and last few characters, Ethereum addresses weren’t even close. In general, the clipper looks for addresses for these cryptocurrencies: Bitcoin, Ethereum, Bitcoin Cash, Litecoin, Dogecoin, Monero, Ripple, ZCash, Dash, Ronin, Tron and Steam Trade URL.
The tool comes in a subscription model, with prices of $29 for one Sunday, $59 for one month, $159 for three months, $299 for half a year, and $549 for a full year.
Through: BleepingComputer (opens in new tab)