Security researchers at ElevenPaths alerted of the latest malware which steals cryptocurrency by changing clipboard-copied addresses. The cryptocoin stealer is called Evrial and after analyzing it deeper, the ElevenPaths experts found that its Russian developer has been targeting other scammers as well.
Until the end of the past year, CryptoShuffle used to be a malware sample which could read the clipboard and modify cryptocurrency addresses. However, this year, someone found that he could do some business with providing these features as a service and started selling the platform itself calling it “Evrial”.
It consisted of a .NET malware sample which could steal passwords from browsers, FTP clients, and Pidgin. In addition, the malware could modify the clipboard on the fly so as to change any copied cryptocurrency address to any address he wanted to.
Besides, the Evrial malware lets the hacker control everything from a comfortable panel where the stolen data can be easily explored. Once the criminal buys the application, he can set his “name” for logging into the panel which will be hardcoded in the code to make the shipped Evrial version unique for him.
Every time someone wants to make a Bitcoin transfer, they usually copy and paste the destination address. Meanwhile, the hacker waits until the user, trusting in the clipboard action, sends a new transaction to the copied cryptocurrency address, without knowing that the recipient’s address has been silently modified to one belonging to the hacker. Evrial performs this operation in the background for various types of address including Bitcoin, Ethereum, Litecoin, and Monero addresses as well as for Steam identifiers and Webmoney WMR and WMZ units.
The malware creator reveals his username in Telegram: @Qutrachka. This account is included in the source code in order to be able to contact him. By using this information and other analysed samples, the security experts managed to identify some users in deep web forums under the name Qutra whose main purpose was selling the malicious software. According to the researchers, the creator of Evrial has received a total of 21 transactions into the Bitcoin wallet, probably from his victims, collecting approximately 0.122 BTC.
The malware creator has moved all the money to different addresses, and has also received 0.0131 Litecoins which is still available in his wallet. However, it has not been possible to track any payments related to his Monero account because of the way this technology works in order to hide the information of which parties have been involved in each transaction.