A malware that infected tens of thousands of devices to mine and steal crypto has ended up bagging only about $6,000.
Cybersecurity firm Doctor Web reported on Oct. 8 that it detected the malware disguising itself as legitimate software, such as office programs, game cheats and online trading bots.
The cryptojacking and stealing software infected more than 28,000 users, mainly in Russia but also in Belarus, Uzbekistan, Kazakhstan, Ukraine, Kyrgyzstan and Turkey.
The hackers were able to swipe only about $6,000 worth of crypto, according to Doctor Web. Still, it’s unknown how much the malware’s creator may have earned from crypto mining.
The cybersecurity firm said the malware’s sources included fraudulent GitHub pages and YouTube video descriptions with malicious links.
Once a device is infected, stealthily deployed software hijacks computing resources to mine crypto.
A “clipper” also monitors crypto wallet addresses that users copy onto their device’s clipboard, and the malware replaces them with addresses controlled by the attacker — which is how they swiped crypto.
Malware attack chain. Source: Doctor Web
The malware uses sophisticated techniques to avoid detection, including password-protected archives to bypass antivirus scans, disguising malicious files as legitimate system components and using legitimate software to execute malicious scripts.
In September, crypto exchange Binance warned about clipper malware, noting a spike in activity in late August “leading to significant financial losses for affected users.”
Doctor Web said many of the malware victim’s devices were compromised “by installing pirated versions of popular programs” and recommended only installing software from official sources.
Related: New Android malware steals private keys from screenshots and images
Clipboard-changing malware has been around for years and was particularly prominent after the 2017 crypto bull market.
These types of malware programs have become more sophisticated, often combining clipboard jacking with other malicious functions.
In September, threat intelligence firm Facct reported that malicious actors and scammers were exploiting email auto-replies to spread crypto mining malware.
Magazine: $55M DeFi Saver phish, copy2pwn hijacks your clipboard: Crypto Sec