Beware the CryptoShuffler, A Trojan that Will Steal Your Coins

Given that so many people are moving into cryptocurrencies and are using them to make payments, a new opportunity has opened up for cyber criminals. We have all heard of the high profile ransomware hacks that make a public statement by requesting BTC in return for decryption services, yet there are many more threats which work by being unnoticeable.

One of these latest threats that has been disclosed by Kaspersky labs is a Trojan that attempts to change your Cryptoccurrency address when you copy and paste it. Hence, it makes you an unwitting agent that inadvertently sends funds to the malware creator.

What is the Cryptoshuffler?

The CryptoShuffler is a Trojan that avoids any sort of flashy displays or effects. It tries to slip onto your PC and not be noticed. Once it is there, it will remain in your PC's memory and keeps tabs on your clipboard. This is the temporary storage area in your memory where the PC keeps your cut / paste operations.

So, if you were to copy an address from an exchange or receive an address from someone you were paying, the Trojan would automatically identify this as a cryptocurrency address. This is usually quite easy to do as cryptocurrency addresses are rather unique and the type of characters gives it away.

Upon spotting the address, the Trojan swaps out the copied one for that of the Malware's author. Hence, when you paste the address in your wallet and sign the transaction, the funds will go to the wrong address and end up in the hands of the criminal. As you may know, Bitcoin transactions are immutable and cannot be reversed, so this is an easy way for them to get away with your coins.

Results of the Shuffler

When Kaspersky studied the malware they discovered that it goes after a whole host of cryptocurrencies including Bitcoin, Monero, Ethereum, Zcash, Dash and a number of other lesser known types. So far, the Trojan has been able to grab about 23.24 BTC. You can see the running total to the Bitcoin address on blockchain.info. Below is the amount and number of transactions as it stood at press time.

Image Source

In the malware creator's other wallets, there appeared to be funds ranging from a few dollars to thousands of dollars. The Trojan has also been around for some time and has been operating since at least 2016. There is no doubt though that the disclosures and more awareness around Bitcoin addresses could have stemmed the flow.

Lessons to be Learnt

What this Trojan shows us is that there are a number of threats from hackers with cryptocurrency. Some may choose to hold your PC ransom while others may use your processing power for "mineware" to mine cryptocoins. Others may use your complacency for social engineering attacks such as phishing. Yet, in the case of the CryptoShuffler, merely changing your address is enough steal a substantial amount of coins.

The lesson?

Always double check the address that you are sending coins to. Even though your PC may not be infected, it is good practice and can limit the potential incorrect transactions.

Featured Image via Fotolia