Malware replaces bitcoin address in Windows clipboard

Security researchers have found a Windows Trojan called Evrial, which can, among other things, replace a bitcoin address in the Windows clipboard with another address. The malware would be sold on Russian hacker forums.

MalwareHunterTeam, who discovered the malware, says that the difference with variants that had similar functionality is that this copy is capable of more and that it loads the addresses from a command and control server. Also, modifying the address would not be limited to just bitcoin addresses, but the feature would extend to altcoins and trade links in Steam. The idea behind the feature is that a victim with an infected system, for example, wants to transfer an amount to a cryptocurrency address and copies the address for that. If the modified address is then pasted from the clipboard, the wire transfer ends up with the attacker.

The team tells Bleeping Computer that the malware is being sold on Russian hacker forums for $27. It is not clear how the malicious software spreads. Evrial is also capable of more actions, such as stealing documents and wallets or uploading screenshots. According to MalwareHunterTeam, the malicious software is recognized by about a third of the antivirus products on VirusTotal. It is possible that there are now more.

The success of the clipboard customization method is unclear. An earlier variant with similar functionality, called CryptoShuffler and discovered by Kaspersky, took in around $140,000 in bitcoins over the course of a year, according to the company, taking into account the bitcoin price of October of last year.