PANews reported on April 9th that according to Decrypt, the cybersecurity company Kaspersky discovered a new type of cryptocurrency fraud malware that tampers with wallet addresses in the clipboard. The attackers disguised the malware as a Microsoft Office plugin, distributed through the SourceForge platform, but actually induced downloads through secondary redirect links. Analysis shows that the malicious code may have been developed by Russian developers, with 90% of victims located in Russia, but due to the English download page, the attack range may be wider. The malware (ClipBanker) monitors the clipboard and automatically replaces the user's copied cryptocurrency address with the attacker's address. Since most users are accustomed to copying and pasting, they often only discover they have been scammed after completing the transfer.
Kaspersky warned that attackers might sell access to infected devices for more serious criminal activities. Although the installation package is disguised as a 700MB normal program, the actual malicious part is only 7MB. In the first three months of 2024, over 4,600 users in Russia have already been affected. Experts recommend downloading software only from official channels and avoiding untrusted sources to prevent similar attacks.
