The main function of ClipboardWalletHijacker is a recurrent loop monitoring the content of clipboard. If the content is the address of Ethereum wallet, it replaces the address with “0x004D3416DA40338fAf9E772388A93fAF5059bFd5”. There have been at least 46 successful transactions in this address since this Trojan was found.
If the content is not the address of Ethereum, ClipboardWalletHijacker will check if it is Bitcoin address instead. It hijacks the address number that begins with 1 or 3 of Bitcoin. The replacement strategy is set up by date. If the current date is earlier than the 8th of the month, the Trojan will replace the address with “19gdjoWaE8i9XPbWoDbixev99MvvXUSNZL”. This address has hijacked at least 0.034 BTC. Otherwise, it will use “1FoSfmjZJFqFSsD2cGXuccM9QMMa28Wrn1” instead. It has successfully hijacked five Bitcoin transactions already and the amount of hijacking is increasing. So far, the highest transaction amount being hijacked is 0.069 BTC, approximately equivalent to 500 US dollars.
Recently, 360 has found that a lot of CryptoMiner Trojans are using this technique to steal victims’ cryptocurrencies. It is strongly recommended that users enable antivirus software while installing new applications. Users are also recommended to run virus scan with 360 Total Security to avoid falling victim to CryptoMiner.