Unit 42 recently discovered a malware campaign targeting Portuguese speakers, which aims to redirect cryptocurrency away from legitimate users’ wallets and into wallets controlled by threat actors instead. To do this, the campaign uses a type of malware known as a cryptocurrency clipper, which monitors the victim’s clipboard for signs that a cryptocurrency wallet address is being copied.
The malware, which we call CryptoClippy, seeks to replace the user’s actual wallet address with the threat actor’s, causing the user to inadvertently send cryptocurrency to the threat actor. Unit 42 Managed Threat Hunting found victims across manufacturing, IT services, and real estate industries, though they likely impacted the personal wallet addresses of someone using their work machine.
To deliver the malware to users’ computers, threat actors in this campaign used both Google Ads and traffic distribution systems (TDS) to redirect victims to malicious domains that are impersonating the legitimate WhatsApp Web application. They use this to ensure victims are real users, and also that they’re Portuguese speakers. For users who are sent to malicious domains, the threat attempts to trick them into downloading malicious files, including either .zip or .exe files, that lead to the final payload.
Palo Alto Networks customers receive protections against this campaign through Cortex XDR. The Advanced URL Filtering and DNS Security cloud-delivered security services for the Next-Generation Firewall identify domains associated with the CryptoClippy campaign as malicious.
To access the full report, please visit here
Additionally, Unit 42 research shows that the threat actors are using Google Ads and traffic distribution systems to redirect victims to malicious domains impersonating legitimate applications like WhatsApp.
Notable highlights from the report include:
- The malware, which Unit 42 has deemed CryptoClippy, aims to redirect cryptocurrency funds away from legitimate users’ wallets and into wallets that belong to threat actors.
- To date, the campaign is specifically targeting Portuguese speakers across Latin America.
- A CryptoClippy infection begins with SEO poisoning; for example, when a victim searches for “WhatsApp Web,” the result leads them to a threat actor-controlled domain.
- Threat actors then actively monitor a victim’s clipboard activity for Bitcoin transactions, ultimately taking their valid crypto wallet address and replacing it with one controlled by the threat actors.
- Unit 42 Managed Threat Hunting found victims across manufacturing, IT services, and real estate industries, though they likely impacted the personal wallet addresses of someone using their work machine.
