Trojan Switches BTC Address Copied to Windows Clipboard

Evrial Trojan can replace legitimate payment addresses and URLs with addresses under the attacker's control
22 January 2018   4446

A new Trojan called Evrial is being sold on criminal forums and being actively distributed in the wild. Like most Trojans, Evrial can steal browser cookies and stored credentials, but this Trojan also has the ability to monitor the Windows clipboard for certain text, and if detected, modify it to something else.

First discovered and tracked by security researchers MalwareHunterTeam and Guido Not CISSP, by monitoring the Windows clipboard for certain strings, Evrial makes it easy for attackers to hijack cryptocurrency payments and Steam trades. This is done by replacing legitimate payment addresses and URLs with addresses under the attacker's control.

According to MalwareHunterTeam, Evrial is currently being sold on Russian criminal forums for 1,500 Rubles or ~ $27 USD. It is stated that after purchasing the product, an attacker gains access to a web panel that allows them to build an executable program.

Russian forum postTranslated post from a Russian forum

When Evrial detects a bitcoin address in the clipboard, it replaces that legitimate address with one under the attacker's control. Then the victim pastes that address into their app and clicks send. Now when the bitcoins are sent, they go to the attackers address rather than your intended recipient.

Evrial is also configured to detect strings that correspond to bitcoin, litecoin, monero, WebMoney, Qiwi addresses and Steam items trade urls.

In addition to monitoring and modifying the clipboard, Evrial will also steal bitcoin wallets, stored passwords, documents from the victim's desktop, and a screenshot of the active windows. All of this information will be compiled into a zip file and uploaded to the attackers web panel.

Trojan web-panelEvrial Trojan web panel

MalwareHunterTeam stated that the best way to protect yourself is to practice good computing habits.

First real-life cryptocurrency robbery reported in Taiwan

Four men stole 5 million Taiwanese dollar worth of Bitcoin, the police has already arrested the suspects
22 February 2018   57

Bitcoin has attracted lots of unwanted attention from hackers and scammers alike. Recently not a week passes without news of an exchange or user being hacked or some company's computers being hijacked to mine cryptocurrency. And now Taiwanese news outlets report first real-life robbery of Bitcoin in their country.

The robbery took place in Taichung, Taiwan's central city. The police reports three men being involved in the robbery itself and one as a planner. Criminals persuaded the victim to meet with them face-to-face under the guise of being interested in buying Bitcoin from him. After the victim showed the robbers the proof of his bitcoins on his phone, the men attacked him and his friend and transferred 18 bitcoins worth 5 million Taiwanese dollar via the phone wallet.

The suspects then forced the unfortunate seller to drink strong local liquor to make everything look like a drunken fight had taken place. The police arrived at the scene after receiving the reports of a fight and found two victims. Two of the offenders had fled, but the third has been arrested at the scene of the crime. He later provided investigation with information about his accomplices. They were arrested soon after.

The police later apprehended the man believed to be the mastermind behind the plan. All this was released in the yesterday's report by the Taiwanese law enforcement and the case is already viewed as “the first domestic case of bitcoin robbery”. The report doesn't mention if the crypto was returned to the rightful owner.

Similar cases has been rumored to happen in the US, but no records are released as of yet. So the unofficial governmental advice is to be more cautious of the buyers requesting face to face meetings in the light of this event.