360 Brain of Security discovered the first clipboard ghost Trojan written in the Java language. The Trojan first spread in April 2019. After infecting the user’s computer, it will monitor the user’s clipboard content, hijack bitcoin, Ethereum, Ripple, dog. The trading process of seven virtual currencies, including coins. The infection trend of the Trojan is as shown in the following figure:
Up to now, only 360 can identify the Trojan on VirusTotal.
“Clipboard Ghost” Trojan is a virtual currency virus Trojan that was discovered and disclosed by the 360 Brain of Security in June 2018. This type of Trojan monitors the user’s clipboard content and hijacks the virtual currency transaction by hijacking the user’s virtual wallet address. it’s really a invisible black hands that threaten the security of users’ transactions at the moment when virtual currency is prevalent . However, 360 users do not need to worry, 360 Total Security can intercept the latest clipboard ghost Trojan:
Technical Analysis
The “Clipboard Ghost” Trojan that we intercepted this time is written in Java for the first time, and the whole virus process is simple and efficient. The overall code logic is as follows, firsttly it will create a scheduled task, implement the virus self-start, and then detect whether there are some process check tools running in the current system. If not, it will get the contents of the clipboard and determine whether it contains a valid virtual wallet address, if it contains a valid wallet address, the Trojan will replace it with the virus author’s wallet address.
Create a scheduled task to achieve virus self-start:
Match the virtual currency wallet address, based on the length and initials of the address:
The hijacked currencies include seven virtual currencies, including Bitcoin, Ethereum, Ripple, and Dogcoin:
We calculated the revenue of the bitcoin wallet used by the virus, and received a total of 2.41 BitCoins, which is about USD 20,000.