[retsl]

the malware's main function seems to be to check the clipboard for crypto wallet addresses and then replace them with attacker addresses:

  Bitcoin (bc1): bc1qrzh7d0yy8c3arqxc23twkjujxxaxcm08uqh60v
  Litecoin (ltc1/L/M): LQ4B4aJqUH92BgtDseWxiCRn45Q8eHzTkH
  Ethereum (0x): 0x10A8B2e2790879FFCdE514DdE615b4732312252D
  Dogecoin (D): DQzrwvUJTXBxAbYiynzACLntrY4i9mMs7D
  Tron (T): TW93HYbyptRYsXj1rkHWyVUpps2anK12hg
  Ripple (r): r9vQFVwRxSkpFavwA9HefPFkWaWBQxy4pU
  Cardano (addr1): addr1q9atfml5cew4hx0z09xu7mj7fazv445z4xyr5gtqh6c9p4r6knhlf3jatwv7y72deah9un6yettg92vg8gskp04s2r2qren6tw

can't guarantee it doesn't do anything else.

[riedel]

Isn't possible to check in the block chain to check if the attacker is actually receiving money? Just curious how much money ine makes with such attacks.

[basilikum]

Here is the BTC and ETH address for convenience for anyone who wants to check: https://mempool.space/address/bc1qrzh7d0yy8c3arqxc23twkjujxx... https://etherscan.io/address/0x10A8B2e2790879FFCdE514DdE615b...

They are empty as of now.

[gield]

I just checked all wallets, they're all empty with no recent transactions.

[like_any_other]

Do browsers still let websites read the clipboard?

[retsl]

Not without approval, see https://developer.mozilla.org/en-US/docs/Web/API/Clipboard_A... or https://web.dev/articles/async-clipboard#security_and_permis.... But that is not relevant here.

Instead of the .torrent files, the compromised website served a .zip file, which contained a .exe. When opened, it shows a GUI to select a Xubuntu version and a button to generate the link. When that button was clicked, the malware showed a download link to the user and, in the background, deployed a second stage to %APPDATA%\osn10963\elzvcf.exe and executed it.

The second stage monitors the clipboard for cryptocurrency addresses which it will replace with attacker-controlled ones. The second stage is also added to HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ to ensure it is run whenever the user logs in.

Both stages have some limited anti-debugging and anti-VM functionality.

[integralid]

That's not done in the browser, malware is hidden in the Ubuntu download (but that's a rather amateurish work, image was not compromised, malware was distributed as .exe file next to it).

[_zagj]

As soon as I saw the headline, I assumed something of this sort. Maybe it's naive, but I miss the days when you could just trust (however unfounded) open source software. I never had to hesitate before downloading a distro or a package. Now I only install something if I absolutely need it.

[fragmede]

The whole supply chain, in fact. The project's site isn't necessarily the real one. the GitHub repo it links to isn't necessarily the real one, the binaries it offers to download aren't necessarily the real one, GitHub isn't even necessarily the real one! There's currently a phishing copy of GitHub up at hxxps://git.hubp.de/ that somebody is going to fall for before it's taken down. If you want to be help get it blocked, load that site up and flag it as unsafe in Chrome! (It's hilarious that the site has a Cloudflare challenge to get in, btw.)

It's a big bad dark scary Internet out there. Be careful.

[bsder]

Let's all thank Bitcoin for making supply chain compromises worth anonymous money transfers.