Security

Evrial Trojan can steal what's saved on your Windows Clipboard, including Bitcoins

The recently discovered malware, which is available as a service, also steals passwords and documents and takes screenshots of active windows.

Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • A newly discovered Trojan kit called Evrial is capable of redirecting cryptocurrency transactions by monitoring the Windows Clipboard for wallet addresses and substituting them with hacker-controlled ones.
  • Evrial can also steali passwords and cookies from a variety of browsers, copy files, and take screenshots of active windows. It's available as a service and is largely undetected by antivirus engines.

A newly discovered Trojan called Evrial is capable of monitoring the Windows Clipboard, detecting cryptocurrency wallet addresses, and editing them to redirect Bitcoins, Etherium, Litecoins, and more.

Evrial was discovered for sale on Russian hacking forms for as little as $27 USD and comes as a complete malware-as-a-service (MaaS) package. All the purchaser has to do is access the Evrial web interface to build the Trojan's executable file and harvest information stolen from infected machines.

Once installed on a target Windows machine, Evrial monitors the Clipboard for anything that looks like a cryptocurrency wallet address, and when one is detected it changes it to a wallet controlled by the Trojan's controller instead.

Cryptocurrency wallet addresses are long strings of characters, so when transferring coins from one wallet to another most people simply copy and paste the address. An Evrial-infected machine is pasting that altered address, most likely unnoticed by the victim.

What it does with the original address makes things even worse: It uploads the wallet address that was copied to the Clipboard to its web interface, giving the attacker access to the original wallet as well.

Stealing more than just Bitcoins

eviral-forums.jpg

Evrial features, as advertised on a Russian hacking forum (translated).

Image: Bleeping Computer

Evrial is configured to recognize wallet addresses for Bitcoin, Litecoin, Monero, WebMoney, QIWI, and even the URLs used to trade items on the gaming platform Steam.

Along with monitoring the Clipboard for digital currencies, Evrial also steals locally stored Bitcoin wallets, which it does by looking for wallet.dat files in the infected computer's registry. It can also steal website credentials stored in Chrome, Yandex, Orbitum, Opera, Amigo, Torch, and Comodo web browsers, as well as chat client Pidgin and the Filezilla FTP client.

SEE: Intrusion detection policy (Tech Pro Research)

Evrial also steals cookies and files formatted as doc, docx, txt, and log. It takes screenshots of active windows and uploads all of its stolen information as ZIP files to its web portal, as well.

In short, Evrial is a nasty piece of work capable of stealing most every password and cryptocurrency wallet on a Windows PC.

Preventing an Evrial infection

Evrial's attack vector isn't currently known and is likely varying from attacker to attacker since the web portal simply produces an EXE and leaves its controller on its own.

VirusTotal currently shows only eight out of 67 antivirus platforms detecting it, so it's very likely that it's going unnoticed as well.

SEE: IT leader's guide to reducing insider security threats (Tech Pro Research)

That said, the only way to reliably avoid Evrial at this point is to be vigilant and practice good PC hygiene. Make sure computers you manage are prohibited from installing software without administrator permission, always apply security patches and OS updates, and keep antivirus definitions current.

Also see

About Brandon Vigliarolo

Brandon writes about apps and software for TechRepublic. He's an award-winning feature writer who previously worked as an IT professional and served as an MP in the US Army.

Editor's Picks

Free Newsletters, In your Inbox