Evrial Info-Stealing Trojan Modifies Addresses to Steal Cryptocurrency

It is just another with just another Cryptocurrency malware targeting unsuspecting users – This time, it modifies addresses to steal cryptocurrency payments.

Evrial is the latest to join the bandwagon of information stealing Trojans that sprout every now and then and leave users grasping for enhanced privacy and security. This Trojan is now up for sale at criminal forums and is in high demand.

Just like other information stealer Trojans, it also hijacks browser cookies and to extract stored credentials. But, what makes it more lethal is that Evrial is capable of monitoring the Windows clipboard and look for certain text. Once it detects that text, it modifies it into something else. It was identified that Evrial makes it possible to hijack cryptocurrency payments and track Steam trades by replacing authentic payment addresses and links with that of the attacker.

More: How to Safely Store Cryptocurrency – Review of 5 Safest Bitcoin Wallets

Evrial has been discovered by MalwareHunterTeam and Guido Not CISSP security researchers. MalwareHunterTeam states that the Trojan is being sold on Russian criminal forums for 1,500 Rubles ($27). To sell it, the seller advertised that when the product is purchased an attacker would gain access to a web panel to allow buyer build an executable while the web panel would track the clipboard modifications and let the attacker configure the most feasible replacement strings. Malware does this by connecting to a remote site to upload original string and downloading a string that is to be used as a replacement.

Evrial Info-Stealing Trojan Modifies Addresses to Steal Cryptocurrency
VirusTotal scan results

According to Lawrence Abrams of Bleeping Computer, an intriguing feature of Evrial is that it only monitors clipboards for certain types of strings and changes them with the ones that the attacker sends, which lets the attacker reroute a cryptocurrency payment to another address owned and controlled by the attacker. To modify strings in such a way is a rare feat and hasn’t been noticed in other malware so far even in those that are capable of matching strings. What’s even more alarming is the fact that the Trojan is configured to detect strings corresponding to a variety of cryptocurrency including Bitcoin, Litecoin, Monero, WebMoney and Qiwi addresses.

Moreover, Evrial also steals bitcoin wallets, stored passwords and all the files that are stored on the targeted desktop. It can also capture a screenshot of the active windows and then compiles all the information into a .zip file. The file is then uploaded to a web panel operated by the attacker. It identified the location of bitcoin’s wallet.dat through scanning for the registry key; if the key is found it can steal the wallet to access and steal bitcoins.

It can also steal credentials stored in Chrome, Yandex, Orbitum, Opera, Amigo, Torch, and Comodo browser as well as Pidgin and Filezilla. To protect yourself, you need to make sure that updated security software is installed and always be wary of attachments received and scan them on VirusTotal.

More: New malware stealing login data, bitcoin from cryptocurrency wallets

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.