ComboJack Malware

Palo Alto Network's Unit 42 researchers discovered a new malware variant targeting clipboard content, specifically content associated with cryptocurrency wallets, dubbed ComboJack. This malware is distributed via a malicious PDF email attachment that contains an embedded RTF file with a remote object designed to exploit the vulnerability CVE-2017-8579. Once delivered, ComboJack abuses the built-in Windows tool attrib.exe, used for setting file attributes. This effectively hides the file from the user and allows it to execute with elevated privileges. ComboJack then enters into an infinite loop, checking the contents of the user’s clipboard repeatedly to look for various cryptocurrency wallet information for a wide range of digital currencies including Bitcoin, Litecoin, Monero, and Ethereum, as well as digital payment systems such as WebMoney and Yandex Money. If a cryptocurrency wallet is found, ComboJack will change the hardcoded wallet address to an attacker’s address to trick the victim into sending money to the wrong location. The NJCCIC recommends reviewing the Palo Alto Networks report for additional information and Indicators of Compromise (IoCs). Additionally, we recommend all users and administrators of systems using Microsoft products review Microsoft’s security bulletin for more information about affected products and associated patches.