Clipper malware are known for replacing the user’s cryptocurrency wallet address (a long and random string) with that of the hacker’s own wallet address, which is already difficult to keep a track due to its typical format. Recently, hackers were seen targeting a private note sharing service to lure their victims with clipper malware, making the attack almost undetectable for the users.

What happened

A legitimate note sharing service, privnote[.]com, complained that someone had set up a fake clone of their site that was fooling the regular users of the service for quite some time.
  • In June 2020, KrebsonSecurity warned users of the phishing scam that lured unsuspecting victims to a fake cloned site (privnotes[.]com).
  • A Google search for the term “privnotes” brings up the fake site, privnotes[.]com, at the top of the search results by bringing up a misleading paid ad for the phishing site.
  • The phishing site used an automated scipt to modify bitcoin wallet addresses in the message contents with a different wallet address belonging to the hackers. The self-destructing nature of these messages made the scam harder to spot.

Clipper malware exfiltrating crypto wallets

Cryptocurrency stealers have been using clipper malware to replace a wallet address in the clipboard for a long time.
  • In December 2019, a clipper malware was observed, that could replace users’ crypto addresses with the hacker’s address when copy and pasting any bitcoin wallet address.
  • In September 2019, a malware strain dubbed Masad Stealer exfiltrated crypto wallets using Telegram as a communication channel. It could automatically replace cryptocurrency wallets from the clipboard with one of the threat actors’ wallets.
  • In February 2019, a first of its kind malicious clipper malware (Android/Clipper.C) was identified on Google Play, impersonating a legitimate service called MetaMask, that hacked the victim’s credentials and private keys to steal Ethereum funds.

Take precautions

Users should be extra careful about using search engines to find sites to entrust with sensitive data. Users should bookmark such sites, and rely exclusively on those instead. Beware of fake email, phishing attempts and website offers related to bitcoin.

Cyware Publisher