The recent explosion of Bitcoin and other cryptocurrencies have made it an item of attraction for many including hackers and criminals. Now a new trojan has emerged called Evrial, which changes the Bitcoin address stored on the Windows clipboard to the hackers’ preferred address in a clandestine manner.
The trojan, first discovered by security researchers MalwareHunterTeam and Guido Not CISSP, Evrial allows criminals and attackers to tamper with crypto payments and other digital currency transactions.
Fresh Evrial sample (at 8/67): https://t.co/ClNOvw2GbS
Interesting that previous versions had 20-30 (or more after some time on VT) detections, with only 2 features. Now it has all the features from Reborn Stealer (previously Ovidiy), and now it’s under 10…
— MalwareHunterTeam (@malwrhunterteam) January 16, 2018
According to the team, the virus is being sold on Russian darknet forums for around 1500 Rubles which translates to around 27 US Dollars. After purchasing the virus, the attacker also gets control of a web panel to easily create a vulnerable executable file which would get activated once the victim runs it. The web panel also keeps a track of all clipboard entries done by the victim as well as allows for real-time modification of the code.
The most interesting feature of Evrial is that it continues to monitor the Windows clipboard to check for changes and modifications. It even checks for certain types of strings as configured by the attacker and when it finds such string it replaces it with the desired text as sent by the attacker. Usually people copy the Bitcoin address string as it is too complex to type. This trojan detects this string and then replaces it with the Bitcoin address sent by the hacker. The victim then puts this changed address unknowingly and thus lose their crypto.
Apart from changing Bitcoin addresses, Evrial can also be configured to detect and replace addresses of other cryptocurrencies including Litecoin, Monero, WebMoney, Qiwi and even Steam trade URLs. In addition, Evrial will also steal Bitcoin wallets and stored passwords and even the victims’ personal files and folders and upload it to the attacker remotely after creating a zip file of the collected data. It also modifies the registry to gain access of .dat files for stealing data.
The trojan also targets browsers for browsing and credential data and uploads them to the attacker. Browsers including Chrome, Opera, Yandex, Orbitum, Comodo and Torch are affected by the activities of this trojan. It also sends screenshots of the active window to the attacker.
While researchers have not been able to find out how Evrial is being distributed, they warn all users, especially those who have Bitcoins wallets, to be extremely careful while downloading random files off the internet. They also recommend to use good security software and practice safe browsing habits.