In the researchers’ report, it was said that ISO files of multiple versions of the operating system (OS) were discovered on various torrent sites. An ISO is an archive that serves as a virtual optical disk. By using specialized software, users can “mount” the optical disk and use it just as they would use an actual disk - either to install software or as a backup/archive.
So far, these are the .ISO files that were identified to come with a crypto hijacker:
- Windows 10 Pro 22H2 19045.2728 + Office 2021 x64 by BoJlIIIebnik RU.iso
- Windows 10 Pro 22H2 19045.2846 + Office 2021 x64 by BoJlIIIebnik RU.iso
- Windows 10 Pro 22H2 19045.2846 x64 by BoJlIIIebnik RU.iso
- Windows 10 Pro 22H2 19045.2913 + Office 2021 x64 by BoJlIIIebnik [RU, EN].iso
- Windows 10 Pro 22H2 19045.2913 x64 by BoJlIIIebnik [RU, EN].iso
The crypto hijacker is planted in the Extensible Firmware Interface (EFI) partition, a small part of the disk usually holding the bootloader and other files that run before the operating system. These files are considered essential for systems that run on UEFI instead of the old BIOS. After installing the OS, if the victim tries to paste any cryptocurrency wallet address in any app or service, the malware will replace that clipboard entry with an address belonging to the attackers, resulting in the irretrievable loss of assets.
Analysis: Why does it matter?
Cryptocurrencies are a growing industry that is, at press time, valued at more than a billion dollars. Arguably, however, the majority of its users are tech-savvy individuals who often use pirated software. One might also argue that tech-savvy individuals would have antivirus software installed and would know how to identify a potential threat.
However, standard antivirus tools don’t normally scan the EFI partition. Furthermore, by having malware run before the OS, the chances of any endpoint security systems picking it up are extremely slim. Also, the researchers discovered that the malware will scan the operating system for any analysis tools, and if it discovers some, it won’t run and give itself away.
The most realistic way a victim might realize something’s amiss is if they double-check the wallet address they’ve just pasted into a wallet or crypto service, prior to pressing the send button. Furthermore, Dr.Web’s researchers are saying the malware uses EFI just as a storage space for the components of the hijacker.
Given the pseudonymous nature of the blockchain, the researchers were able to determine just how successful the attack is, and it turns out - it works relatively well. By the time Dr. Web released their research, the attackers have made roughly $19,000 in various cryptocurrencies. However, the exact sum might be even bigger, the researchers warn, as they can’t conclusively say if they managed to identify all of the wallets belonging to the attackers.
When sending money through a bank or other intermediary, the transaction can be stopped mid-journey if the sender finds out they’ve been scammed. With blockchain, however, that is impossible, and once the send button is pressed, there is no going back. Cybercriminals are well aware of this fact and have been actively targeting crypto users with social engineering attacks, phishing, and malware.
What have others said about it?
Clipboard hijackers are a common occurrence and have been around for many years. Back in 2021, The Record reported on a clipboard hijacker that earned its creators more than half a million dollars. It was discovered by cybersecurity researchers from Avast and was described as “ridiculously simple”. Back then, the threat actor took to Telegram to share “hacking tools”, which were nothing more than malware. The hijacker came preconfigured with more than 100 different cryptocurrency addresses, which resulted in the threat actor, going by the alias “Hack Boss”, receiving bitcoin, ether, Dogecoin, and others. Given that people also sent Monero, the researchers believed the final sum was even greater than the reported $560,000.
On forums such as Reddit, users have been advising their peers to always be careful when copying and pasting sensitive information. Given that cryptocurrency wallet addresses are a string of random characters, many users only check the first and last couple of characters. Some Reddit users have also warned that there are clipboard hijackers with advanced features that can make sure only the middle part of the wallet address differs, tricking even those that inspect the pasted address before hitting send.
On Twitter, MetaMask shared a few tips on how to stay safe from clipboard hijackers. MetaMask is one of the world’s most popular cryptocurrency wallets, whose Twitter following counts more than 76,000 people. In a short Twitter thread, MetaMask explains that users should always keep their wallets updated, only install trusted antivirus software, be mindful of what they copy and paste, and regularly clear their clipboard.
If you want to learn more, start by checking out our buying guides for the best bitcoin wallets, as well as best mining rigs. Also, make sure to check out our list of the best antivirus programs, and best endpoint security solutions right now.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.