Yesterday I came across some malspam that I have not seen before and thought that I would do a quick entry for it.
This particular malware sits quietly in the background and looks for crypto currency addresses being copied and pasted between applications/pages. The interesting part of this is that once the user “pastes” the crypto address into the other application/tab, the address is changed to one that the bad actor controls. Playing around with this in my VM, I did not notice it sending anything outbound within Wireshark, and nothing came up in Process Explorer which kind of makes sense since all this is doing is changing the crypto address in memory for the paste. For a great explanation of what this type of malware is doing, check out Bleeping Computer’s article about it and also the embedded video.
And a huge thanks to @James_inthe_box for ID’ing this malware and pointing me in a better direction. Here is the Twitter thread for this particular sample.
For all the artifacts from this please see this repo. I have also provided a memory dump of the process in case anyone wants to play around with memory forensics. That can be found here.
Below are some of the strings that I found that matched up with what @James_inthe_box showed in the Twitter thread.
<Module> out.exe Program Copier MainClass Clipboard ChangedEventHandler Base58CheckEncoding ArrayExtensions HexByteConvertorExtensions Converter IDigest IMemoable KeccakDigest Pack Sha3Keccack mscorlib System Object System.Windows.Forms NativeWindow MulticastDelegate System.Threading Mutex mutex Main System.Collections.Generic Dictionary`2 dictionary Install BchCharset IsValidAddress SetClipboard ValidateEthAddress ValidateCashAddress ValidateBitcoinAddress CheckCharSet get_CH set_CH CH_Changed .ctor SetClipboardViewer ChangeClipboardChain SendMessage