When people download the file and open it, a malicious winlogin.exe is dropped and executed. “The purpose of the malware is simple. If the victim tries to add money to their anon-bitcoin wallet by copying and pasting the wallet address, the malware overwrites the victim’s wallet address on the clipboard with its own, resulting in the money potentially going to the attacker,” the researchers explained. According to FortiGuard Labs, the malware watches a user’s clipboard to search for text that is 54 characters long – the length of a cryptocurrency wallet address – and other criteria that indicate the text is related to cryptocurrency. If the text matches three different criteria, the malware puts the attacker’s Bitcoin Cash wallet address in place of the clipboard information. The malware also searches for addresses related to Ethereum, Binancecoin, Litecoin, Dogecoin and Ripple. “We also found that the malicious winlogin.exe was distributed by a number of droppers with enticing names, such as Crunchyroll Breaker.exe, Netflix Tools.exe, Multi Gift Tools.exe, etc,” FortiGuard Labs explained. Derek Manky, chief of security insights & global threat alliances at Fortinet’s FortiGuard Labs, told ZDNet that they made this research discovery through their threat hunting process while looking for specific rules/targets. FortiGuard Labs found samples collected through open repository and then did further correlation work from there as part of discovery phase, Manky said. Cryptowallet addresses are quite large, and while cryptowallet users may write their wallet in a physical location, chances are they have this stored digitally – either in a cold storage wallet or on their workstation, according to Manky. “That digital cryptowallet addresses is typically accessed when doing transactions to send/receive money during the transaction itself on the client machine. In this instance, the attacker is hoping to replace the victim wallet with theirs to divert the funds. Keep in mind there usually is MFA with these transactions, but that’s done by the client to approve. They may not notice the wallet address they pasted was actually not their own,” Manky said. “This attack attempt has been specifically designed to hijack cryptowallet addresses/transactions similar to payment diversion fraud. And specifically Bitcoin Cash.” FortiGuard Labs also found another scam related to gaming consoles, attempting to lure those interested in purchasing PlayStation 5 and Xbox Series X and S systems. The researchers found a group of malicious PDF files with titles like, “how_much_do_xbox_one_cost_on_black_Friday.pdf” and “Walmart_black_Friday_ps5_pickup.pdf.” After victims click on the link, they are taken to phishing sites where they are asked to give out confidential information.
