Woburn, MA – March 28, 2023 — Kaspersky researchers have discovered an ongoing disruptive cryptocurrency theft campaign affecting more than 15,000 users across 52 countries. Distributed under the guise of Tor Browser, the malware operates by replacing a portion of the entered clipboard contents with the cybercriminal’s own wallet address once it detects a wallet address in the clipboard. Thus far in 2023, it is estimated that cybercriminals have been able to steal approximately $400,000 using this malware.
While this technique has been around for more than a decade and originally used by banking Trojans to replace bank account numbers, with the rise of cryptocurrency, this new type of malware is now actively targeting crypto owners and traders.
One recent malware development involves the use of Tor Browser, a tool used to access the deeper web. The target user downloads a Trojanized version of Tor Browser from a third-party resource containing a password protected RAR archive. The purpose of the password is to prevent detection by security solutions. Once the file is dropped inside the user’s system, it registers itself in the system’s auto-start and is masqueraded with an icon of a popular application, such as uTorrent.
Kaspersky technologies have detected more than 15,000 attacks using clipboard injector malware targeting cryptocurrencies like Bitcoin, Ethereum, Litecoin, Dogecoin, and Monero. These attacks have spread to at least 52 countries worldwide, with the majority of detections in Russia due to users downloading the infected Tor Browser from third-party websites as this browser is officially blocked in the country. The top 10 affected countries also include the United States, Germany, Uzbekistan, Belarus, China, the Netherlands, the United Kingdom, and France.
Based on the analysis of existing samples, the estimated loss for users is at least $400,000, but the actual amount stolen could be much greater as this research focuses only on Tor Browser abuse. Other campaigns may use different software and malware delivery methods as well as other types of wallets.
“Despite the fake Tor Browser attack’s fundamental simplicity, it poses a greater danger than it seems,” said Vitaly Kamluk, head of Kaspersky’s Global Research & Analysis Team for APAC. “Not only does it create irreversible money transfers, but it is also passive and hard to detect for a regular user. Most malware requires a communication channel between the malware operator and the victim’s system. On the contrary, clipboard injectors can remain silent for years, with no network activity or other signs of presence until the day they replace a crypto wallet address.”
Learn more about new Clipper malware on Securelist.com.
To keep cryptocurrency safe, Kaspersky experts also advice users:
Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.