{"id":10195,"date":"2017-10-31T08:30:18","date_gmt":"2017-10-31T16:30:18","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/10\/31\/news-3968\/"},"modified":"2017-10-31T08:30:18","modified_gmt":"2017-10-31T16:30:18","slug":"news-3968","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/10\/31\/news-3968\/","title":{"rendered":"CryptoShuffler: Trojan stole $140,000 in Bitcoin"},"content":{"rendered":"<p><strong>Credit to Author: Marvin the Robot| Date: Tue, 31 Oct 2017 16:19:20 +0000<\/strong><\/p>\n<p>Imagine that one day you decide to use Bitcoin to pay for, say, a pizza. You copy the wallet address from the pizzeria&#8217;s website, enter the required amount, and click the Send button. The transfer goes through, but the pizza doesn&#8217;t arrives. The pizzeria owners say they never received the payment. What&#8217;s going on? Don&#8217;t get mad at the pizza guys \u2014 it&#8217;s all down to CryptoShuffler.<a href=\"https:\/\/d1srlirzdlmpew.cloudfront.net\/wp-content\/uploads\/sites\/92\/2017\/10\/31121147\/20171910_Bitcoin_steal.jpg\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/d1srlirzdlmpew.cloudfront.net\/wp-content\/uploads\/sites\/92\/2017\/10\/31121147\/20171910_Bitcoin_steal-1024x672.jpg\" alt=\"\" width=\"1024\" height=\"672\" class=\"aligncenter size-large wp-image-19977\" \/><\/a><\/p>\n<p>Unlike <a target=\"_blank\" href=\"https:\/\/www.kaspersky.ru\/blog\/bad-rabbit-ransomware\/19072\/\">cryptoransomware<\/a>, this Trojan avoids flashy effects, instead doing its best to slip under the radar. It resides quietly in the computer&#8217;s memory and monitors the clipboard \u2014 the temporary storage area for cut\/paste operations.<\/p>\n<p>As soon as CryptoShuffler spots the address of a cryptocurrency wallet on the clipboard (it&#8217;s quite easy to distinguish these addresses by line length and specific characters), it replaces the address with another. As a result, the cryptocurrency transfer does indeed go through, and in the amount specified by the payer, only the recipient is not the pizzeria, but the intruders behind CryptoShuffler.<\/p>\n<p> <a target=\"_blank\" href=\"https:\/\/securelist.com\/tales-from-the-blockchain\/82971\/\">Having studied the Trojan<\/a>, Kaspersky Lab discovered that the malware targets not only Bitcoin, but also Ethereum, Zcash, Monero, Dash, Dogecoin (yes, it&#8217;s real), and other cryptocurrencies as well. Substituting Bitcoin wallets is the Trojan&#8217;s most lucrative activity \u2014 at the time of publication the attackers had snagged slightly more than 23 BTC (about $140,000 at the current exchange rate).<a href=\"https:\/\/d1srlirzdlmpew.cloudfront.net\/wp-content\/uploads\/sites\/92\/2017\/10\/31121829\/cryptoshuffler-bitcoin-stats.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/d1srlirzdlmpew.cloudfront.net\/wp-content\/uploads\/sites\/92\/2017\/10\/31121829\/cryptoshuffler-bitcoin-stats-1024x181.png\" alt=\"\" width=\"1024\" height=\"181\" class=\"aligncenter size-large wp-image-19978\" \/><\/a> <\/p>\n<p>The other cryptocurrency wallets belonging to CryptoShuffler&#8217;s creators were found to contain sums ranging from tens to thousands of dollars.<\/p>\n<p>It took the Trojan a little more than a year to collect that money. Peak activity in late 2016 was followed by a slump, but then in June 2017, CryptoShuffler reawakened.<\/p>\n<p>This Trojan clearly demonstrates that an infected computer or smartphone will not necessarily slow down or display ransom messages. On the contrary, many kinds of malware try to keep a low profile and to operate as stealthily as possible; the longer they remain undetected, the more money they will make for their creators.<\/p>\n<p> <input type=\"hidden\" class=\"category_for_banner\" value=\"kis-trial-banking\" \/> <\/p>\n<p>So our advice to all cryptocurrency users is to remain vigilant and get protected. Our products detect CryptoShuffler as Trojan-Banker.Win32.CryptoShuffler.gen, and, needless to say, block all its actions.<\/p>\n<p><a href=\"https:\/\/www.kaspersky.com\/blog\/cryptoshuffler-bitcoin-stealer\/19976\/\" target=\"bwo\" >https:\/\/blog.kaspersky.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Marvin the Robot| Date: Tue, 31 Oct 2017 16:19:20 +0000<\/strong><\/p>\n<p>The CryptoShuffler Trojan does its utmost to go unnoticed, stealing Bitcoins on the sly.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10425,10378],"tags":[10490,14147,16251,10432,1931,10438,12269],"class_list":["post-10195","post","type-post","status-publish","format-standard","hentry","category-kaspersky","category-security","tag-bitcoin","tag-cryptocurrencies","tag-cryptoshuffler","tag-protection","tag-research","tag-threats","tag-trojans"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/10195","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=10195"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/10195\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=10195"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=10195"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=10195"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}