Evrial Trojan Strips and Swaps Bitcoin, Monero, and Litecoin Address from Windows Clipboard
Originally published on: BTCMANAGER
Read the original article
January 25, 2018
A new trojan virus going by the name Evrial is being actively sold and distributed among cyber crooks. Sparking concern, the novel attacker does more than merely strip stored credentials or access cookies, it also monitors the Windows clipboard and, when discerning specific text, can modify the cut and paste operation by inserting something else. This contaminates the process and, in a nutshell, the crypto trader or vendor can end up paying someone else.
A Heads-Up from the Watchmen
MalwareHunterTeam and Guido Not CISSP are the security researchers credited for first identifying and monitoring Evrial. The virus will monitor your clipboard, seek specific strings, and corrupt pasted data to hijack blockchain payments and digital commodity trades. In short, the loaded payment is not yours, but one controlled and received by the hacker.
By monitoring your Windows clipboard for individual strings, Evrial makes it easy for attackers to hijack cryptocurrency payments. This is done by replacing legitimate payment addresses and URLs with addresses under the attacker’s control.
Evrial is also savvy in a whole new way, being less easy to detect, incorporating tried and tested features like those of Reborn Stealer, and in the event of a lucky strike, can cost users in seconds. Further, intel from the watchmen points to a current sale price for Evrial of around $27 or around ₽1,500 in Russia.
Boldly advertised, the marketing copy for Evrial includes details on how the product functions, where and how precisely to seek out exploitable data and also how to configure replacement strings to divert transactions successfully.
Running off a web panel, once purchased, the hacker steers his ship from this panel and the virus is then geared to identify the address and other constructs as valuable. While many bugs can monitor your clipboard, the ability to modify content in a cheeky swap at the point of transaction takes things to a new threat level.
While theoretically easily defeated, the virus has found an excellent application as it strikes at a moment when hackers anticipate the most vulnerable attack vector.
Crypto Payment Line
Leveraging the laborious nature of typing in Bitcoin addresses and other handles, Evrial knows that a large percentage of users will cut and paste this kind of information. Pasting in “your” address for payments with Evrial at play sees the hacker’s address substituting yours, which redirects funds to the hacker’s wallet instead.
Because the amounts are often too small to justify forensic investigations, and because the transaction was completed as required to effect payment without your being aware of the swap, there is seldom merit in investigation or prospect of reversal.
To compound matters, crypto stolen in this manner is typically moved right along the inaccessible blockchain within seconds, with the pursuit of cryptocurrency funds across the globe being infeasible. The same ironclad transactional security that makes the blockchain so attractive and reassuring now acts against aggrieved users in the event of Evrial managing to swap payment addresses.
The trojan notes the string you copy, visits the panel to reconfigure the hacker’s address and then inserts this into your transaction. Not with unlimited capacity, the developer has ensured that supported strings detected and corrupted cover steam trade URLs, Monero, WebMoney, Qiwi, Litecoin and of course Bitcoin.
Cyber-attack with People Skills
While relatively simple to understand, Evrial’s strengths lay in its human understanding. Kicking in when most users feel entirely secure in what they are doing, passwords and wallets are easy targets for the virus. Also, it uploads screenshots of what you are doing on your device into a zip file on the hacker’s dashboard.
The first line of defense is to have reliable anti-malware installed and updated on your computer. The second line of defense is to resolve to type in text when making transactions and dealing in other varieties of sensitive data.