ComboJack Malware Steals Cryptocurrency by Modifying Addresses

A new cryptocurrency-stealing malware dubbed as ComboJack has been discovered by Palo Alto Networks Unit 42 and Proofpoint researchers. It has been targeting cryptocurrencies and digital wallets belonging to American and Japanese users while the malware is being distributed via email spam campaign.

Fake Passport Email

The malicious emails contain the subject line “Re: passport…” The attackers trick recipients into opening a PDF attachment that supposedly contains a scanned copy of a passport the recipient has mistakenly left in the email sender’s office. The file does not show the scanned passport image but displays a request to open another file, which is actually an embedded RTF file. This RTF file contains an embedded remote object.

This object attacks an old DirectX flaw (classified as CVE-2017-8579) and loads an HTA script. The script runs a PowerShell script to download the malware. Microsoft DirectX is basically a collection of APIs that manages multimedia related tasks on Windows OS.

ComboJack Malware Steals Cryptocurrencies by Modifying Addresses
Image credit: Palo Alto Networks

After the malware is downloaded, it makes sure that it stays on the device for which it keeps itself hidden from the user. It then creates an infinite loop to keep checking the contents of the clipboard after half a second to assess what sorts of cryptocurrencies the victim has stored on his/her digital wallet.

ComboJack Malware Steals Cryptocurrencies by Modifying Addresses
Image credit: Palo Alto Networks

Palo Alto Networks researchers noted in their blog post:

“The contents of the clipboard are checked for various criteria to determine if the victim has copied wallet information for various digital currencies. In the event a wallet of interest is discovered, ComboJack will replace it with a hardcoded wallet that the attacker presumably owns in an attempt to have the victim accidentally send money to the wrong location.”

ComboJack replaces clipboard addresses

ComboJack replaces clipboard addresses to upload an attacker-operated address. Funds are then transferred to the attacker’s wallet instead of their actual address. The attack method relies upon the same tactic that was used by CryptoShuffler malware (identified in 2017). It also benefitted from victims’ ignorance in cross-checking the destination wallet address prior to making funds transfer.

Remember, CryptoShuffler was used by hackers in November 2017 and successfully stole $150,000 from cryptocurrency wallets. The malware modified the original, legitimate address of the user with its own on the clipboard of the targeted device.

However, one feature that differentiates ComboJack from CryptoShuffler is that the latter only stole Bitcoin while the recent one targets a broad range of currencies apart from attacking Bitcoin wallets such as Ethereum, Litecoin, and Monero and also targets funds transferred through Qiwi, Yandex Money, and WebMoney. Perhaps that’s why researchers have dubbed the malware as ComboJack since it can steal funds in multiple cryptocurrencies.

“By targeting multiple cryptocurrencies and web-based wallets, the author of ComboJack appears to be hedging his or her bets on which currency will boom and which will bust,” read the blog post by Palo Alto Networks researchers.

Cryptocurrency users are advised to avoid using online wallets to store their funds and move to hardware wallets. Here is a list of 5 secure Bitcoin wallets which you can trust.


Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.