Portuguese users are being targeted by a new malware codenamed CryptoClippy that’s capable of stealing cryptocurrency as part of a malvertising campaign.
The activity leverages SEO poisoning techniques to entice users searching for “WhatsApp web” to rogue domains hosting the malware, Palo Alto Networks Unit 42 said in a new report published today.
CryptoClippy, a C-based executable, is a type of cryware known as clipper malware that monitors a victim’s clipboard for content matching cryptocurrency addresses and substituting them with a wallet address under the threat actor’s control.
“The clipper malware uses regular expressions (regexes) to identify what type of cryptocurrency the address pertains to,” Unit 42 researchers said.
“It then replaces the clipboard entry with a visually similar but adversary-controlled wallet address for the appropriate cryptocurrency. Later, when the victim pastes the address from the clipboard to conduct a transaction, they actually are sending cryptocurrency directly to the threat actor.”
The illicit scheme is estimated to have netted its operators about $983 so far, with victims found across manufacturing, IT services, and real estate industries.
It’s worth noting that the use of poisoned search results to deliver malware has been adopted by threat actors associated with the GootLoader malware.
Another approach used to determine suitable targets is a traffic direction system (TDS), which checks if the preferred browser language is Portuguese, and if so, takes the user to a rogue landing page.
Users who do not meet the requisite criteria are redirected to the legitimate WhatsApp Web domain without any further malicious activity, thereby avoiding detection.
The findings arrive days after SecurityScorecard detailed an information stealer called Lumma that’s capable of harvesting data from web browsers, cryptocurrency wallets, and a variety of apps such as AnyDesk, FileZilla, KeePass, Steam, and Telegram.