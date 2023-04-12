Portuguese users have been targeted by a new malware called CryptoClippy, capable of stealing cryptocurrencies as part of a malvertising campaign.

The activity exploits SEO poisoning techniques to attract users looking for “WhatsApp web” to fraudulent domains hosting the malware, such as reported today in a new report from Palo Alto Networks Unit 42.

What is CryptoClippy, how it was created and how it works

CryptoClippy, a C executable file, is a type of cryptoware known as clipper malware that monitors the victim’s clipboard for content that matches cryptocurrency addresses and replaces them with a wallet address controlled by the cyber criminal.

“The clipper malware uses regular expressions (regexes) to identify which type of cryptocurrency the address belongs to“, said the researchers of Unit 42.

“It then replaces the clipboard entry with a wallet address [portafoglio virtuale in criptovalute] controlled by the criminal, visually similar but under his control, for the appropriate cryptocurrency. Later, when the victim pastes the address from the clipboard to make a transaction, she is actually directly sending the cryptocurrency to the cybercriminal“.

The illicit system used, would appear to have yielded about 983 dollars to its operators so far, with victims identified in the manufacturing, IT services and real estate sectors.

It is important to note that the use of tainted search results to deliver malware has been adopted by malware-associated cyber criminals GootLoader.

Another approach used to locate suitable targets is a traffic guidance system (TDS extension), which checks if the browser’s preferred language is Portuguese, and if so, leads the user to a fraudulent landing page.

Users who do not meet the required criteria are redirected to the legitimate WhatsApp Web domain without any further malicious activity, thus avoiding detection.

These findings come just days after SecurityScorecard detailed an information “stealer” file called Lummacapable of collecting data from web browsers, cryptocurrency wallets and a variety of apps such as AnyDesk, FileZilla, KeePass, Steam and Telegram.

How to possibly defend yourself against CryptoClippy and more?

Although it is very unlikely that you, the reader, speak Portuguese (or that you have Windows or your browser set to that language), here are some tips to be able to survive in case of similar attacks.

These recent attacks once again demonstrate the importance of staying alert and attentive when surfing the web and using online applications.

AND fundamental take appropriate security measures, such as using reputable antivirus software and avoiding clicking on suspicious links or downloading files from unverified sources. This is the only way to protect yourself and your sensitive data from increasingly sophisticated and widespread cyber attacks.