Security Experts:

Connect with us

Hi, what are you looking for?



“ComboJack” Malware Steals Multiple Virtual Currencies

A newly discovered piece of malware is capable of stealing a variety of crypto-coins from its victims by replacing legitimate wallet addresses with that of the attacker.

A newly discovered piece of malware is capable of stealing a variety of crypto-coins from its victims by replacing legitimate wallet addresses with that of the attacker.

Dubbed ComboJack, the malware performs its nefarious activity by monitoring the user clipboard and replacing targeted addresses there. This is the same technique that was recently observed being used by the Evrial Trojan and the CryptoShuffler malware, but the new threat targets multiple virtual currencies.

ComboJack, Palo Alto Networks has discovered, is targeting multiple crypto-currencies at the moment, including Bitcoin, Litecoin, Monero, and Ethereum.

The malware is being distributed through spam emails targeting users in Japan and America, carrying a malicious PDF that contains an embedded document. This is a RTF file attempting to exploit CVE-2017-8579, a vulnerability addressed in September 2017 after it was abused to spread the FinFisher spyware.

The RTF document references to an embedded remote object, an HTA file that contains encoded PowerShell commands. Once fetched from the remote server, the file executes the PowerShell to download and execute the final payload.

The downloaded file is an initial stage self-extracting executable (SFX) that extracts the second stage, a password protected SFX that has the password supplied by the first stage. Only after the second stage is executed, the ComboJack is extracted.

First, the malware copies itself to the ProgramData folder, and then leverages the attrib.exe built-in Windows tool to set the hidden and system attributes to itself. Next, the malware sets a registry key to achieve persistence.

Once the steps have been completed, ComboJack starts checking the contents of the clipboard every half second to determine if wallet information for different digital currencies has been copied there. When that happens, the malware replaces the information with hardcoded data in an attempt to divert funds to a presumably attacker-owned wallet.  

“This tactic relies on the fact that wallet addresses are typically long and complex and to prevent errors, most users will opt to copy an exact string in order to prevent potential errors,” Palo Alto points out.

The malware can detect addresses of crypto-currencies such as Ethereum, Monero (erroneously, the replacement address is shorter), Bitcoin, Litecoin, Qiwi, WebMoney (Rubles), WebMoney (USD), Yandex Money, and a currently unknown virtual coin.

The fact that ComboJack is targeting WebMoney (USD, EUR, and RUB) and Yandex Money, which are popular digital payment systems, also sets the malware apart from other Trojans capable of stealing crypto-currencies by replacing wallet addresses that have been copied to the clipboard.

“By targeting multiple cryptocurrencies and web based wallets, the author of ComboJack appears to be hedging his or her bets on which currency will boom and which will bust. As the prices of cryptocurrencies continue to rise it is likely we will see more and more malware targeting cryptocurrencies, as it presents the fastest way to the highest profit,” Palo Alto concludes.

Related: Cryptocurrency Fraud: In the Midst of a Gold Rush, Beware of Scammers

Related: Zyklon Malware Delivered via Recent Office Flaws

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.