Cryptocurrency has become a popular target for cybercriminals, and a new type of malware is actively being used to steal digital assets. According to Kaspersky researchers, clipboard-injector malware disguised as Tor browser installers has been used to steal approximately $400,000 in cryptocurrency from nearly 16,000 users worldwide in 2023 alone.
The attack is carried out when the user downloads a Trojanized version of Tor Browser from a third-party resource containing a password-protected RAR archive. Once the file is downloaded, it registers itself in the system's auto-start and is disguised with an icon of a popular application, such as uTorrent. The malware then scans the user's Windows clipboard data, and when it detects a cryptocurrency wallet address, it replaces that address with one controlled by the attacker. The malware is protected with the Enigma packer v4.0, which makes analysis more complicated.
The attack has affected people in 52 countries, with the majority of detections in Russia, followed by Ukraine and the United States. The high number of Russian victims is likely related to the Kremlin's ban and censorship of the Tor Project. The purpose of the password in the RAR archive is to prevent detection by security solutions. Therefore, the actual number of infections may be much higher than reported.
To avoid this coin-stealing campaign, users are advised to download installers from the official Tor Project, which are digitally signed and free of malware. Kaspersky researchers estimate that the actual theft is bigger because this re
0 Comments