Users of Windows-based cryptocurrency wallets have a new token-stealing malware to worry about. First reported by BleepingComputer late last week, the malware waits until a cryptocurrency address is copied into the infected machine’s clipboard, then replaces the destination address with a similar-looking one controlled by the attacker. While this kind of malicious program has been seen before — they’re often referred to as cryptocurrency clipboard hijackers — this new iteration is remarkable simply for its size and complexity.
The hijacker, which was first observed as part of the “cascade of malware” All-Radio 4.27 Portable malware package released last week, is as subtle as it is devious. The program runs quietly in the background, hiding in plain sight as a Direct X service. The only indication that the DLL file isn’t what it seems is the file size, which clocks in at a suspiciously large 83MB. While a typical clipboard hijacker might only contain a few hundred addresses to send stolen tokens to, the All-Radio variant contains a staggering 2.3 million cryptocurrency addresses.
In BleepingComputer‘s video demonstration, the hijacker replaced a copied address with one from its own massive list that shares the first few digits. This could easily fool a distracted or inattentive sender. The malware also appears to include a wide variety of cryptocurrency address types, although the program’s primary focus appears to be bitcoin addresses. Interestingly, the program isn’t sophisticated enough to recognize a cryptocurrency address within a longer block of text, and will only be triggered when an address is copied in isolation.
Worryingly, the All-Radio 4.27 Portable malware package has proven to be extremely difficult to remove, owing in large part to a sophisticated rootkit that protects its various functions. The malware suite also includes a host of other nasty programs, including a cryptocurrency miner, a spambot, and multiple Trojan downloaders. Owners of infected machines are being urged to completely reinstall Windows to remove all traces of the infection.
A better long-term option for cryptocurrency users might be to avoid a desktop-based cryptocurrency wallet altogether. To protect your BTC, ETH, and other crypto tokens, most cybersecurity and cryptocurrency experts recommend using a tethered, air-gapped hardware wallet.