A new malware named CryptoClippy has been discovered, targeting Portuguese users as part of a malvertising campaign. The malware uses SEO poisoning techniques to lure users searching for “WhatsApp web” to rogue domains, where they are infected with the malware.
CryptoClippy is a clipper malware that monitors a victim’s clipboard for content matching cryptocurrency addresses and replaces them with a wallet address under the threat actor’s control, thus stealing their cryptocurrency.
The clipper malware uses regular expressions to identify the type of cryptocurrency the address pertains to and replaces it with a visually similar adversary-controlled wallet address.
Victims who paste the address from the clipboard to conduct a transaction actually send their cryptocurrency directly to the threat actor. The illicit scheme has netted its operators about $983 so far, with victims found across various industries such as manufacturing, IT services, and real estate.
The use of poisoned search results to deliver malware has been adopted by threat actors associated with the GootLoader malware. A traffic direction system (TDS) is also used to determine suitable targets by checking if the preferred browser language is Portuguese.
Users who do not meet the criteria are redirected to the legitimate WhatsApp Web domain without any further malicious activity to avoid detection.
The discovery of CryptoClippy comes just days after another malware named Lumma was detailed by SecurityScorecard. Lumma is capable of harvesting data from web browsers, cryptocurrency wallets, and a variety of apps such as AnyDesk, FileZilla, KeePass, Steam, and Telegram.
The discovery of these new malware strains highlights the importance of remaining vigilant against cyber threats and taking appropriate measures to protect personal and business data.
