Esme brings a wealth of knowledge and experience to our website, specializing in all aspects of DarkWeb security. With a deep understanding of the intricate workings of the DarkWeb and its associated cybersecurity risks, Esme curates insightful and informative content for our readers.
Latest posts by Esme Greene (see all)
- Ukraine Police Bust Fraud Scheme - October 15, 2023
- Saudi Man Sentenced for X & YouTube - October 15, 2023
- Pro-Russia Hackers Leak Military Data - October 15, 2023
A new malware with the alias CryptoClippy is aimed at Portuguese users and is designed to steal cryptocurrencies as part of a phishing operation.
Based on the Palo Alto Networks Unit 42 latest report released on April 5th, the activity utilizes SEO poisoning techniques to lure people searching for “WhatsApp Web” to illicit domains housing the virus.
How does CryptoClippy perform?
C-based executable CryptoClippy belongs to the category of clipper malware that scans a victim’s clipboard for data that matches cryptocurrency addresses before replacing it with a wallet address under the danger actor’s management.
As the Unit 42 researchers reported, the clipper virus makes use of regular expressions (regexes) to determine the kind of cryptocurrency that an address belongs to.
“The clipboard record is then changed to a wallet address for the relevant cryptocurrency that seems identical to the original but is actually owned by the attacker.”
The victim is actually delivering crypto to the malicious attacker directly when they copy the address from the clipboard into a transaction further.
The harm suffered
With sufferers uncovered in the manufacturing, IT services, and property industries, the illegal operation is expected to have brought in its operators roughly $983 thus far.
Notably, threat actors connected to the GootLoader malware have begun to utilize contaminated search results to spread malware.
Another method for selecting appropriate targets is a traffic direction system (TDS), which verifies whether Portuguese is the user’s chosen browser language and directs them to a fraudulent landing page if it is.
Users that don’t fit the required requirements are simply transferred to the official WhatsApp Web address, evading detection.
The findings: how did it happen?
The discoveries come days after SecurityScorecard described Lumma, a data thief with the ability to harvest information from web browsers, crypto wallets, and a wide number of apps like AnyDesk, Steam, Telegram, and others.