Hackers Rob Hackers by Offering them fake malware

The information security specialists of the two companies found another example when hackers attack their own colleagues on the shop floor, offering them, under the guise of hacked Trojans for remote access (RAT) and tools for creating malware, an infostiler that steals data from the clipboard.

Software for stealing data from the clipboard is quite common and is used by attackers to monitor the contents of the clipboard of the attacked system in order to identify the victim’s cryptocurrency addresses and replace them with their own. Thus, hackers can intercept financial transactions on the fly and redirect money to their accounts. As a rule, such stylers specialize in popular cryptocurrencies, in particular Bitcoin, Ethereum and Monero.

ASEC specialists have discovered on hacker forums, including on Russia black hat, software for stealing data from the clipboard, issued by attackers for hacked versions of the BitRAT and Quasar RAT Trojans, which are usually sold for $ 20-100. After downloading the software, the victim is directed to the Anonfiles page, where she is offered a RAR archive, allegedly being a builder for the selected Trojan.

The file contained in the archive crack.exe in fact, it is a ClipBanker malware installer that copies malicious code to the startup folder and executes it after the next restart of the computer.

In turn, the specialists of the company Cyble also revealed on hacker forums offers of free use of the AVD Crypto Stealer for a month. In this case, as in the previous one, the victim downloads an alleged malware builder and launches the Payload executable file.exe, thinking that this would give her free access to the cryptostealer.

As a result, Clipper malware is loaded onto the victim’s system, capable of reading and changing the text copied by the victim, for example, data from cryptocurrency wallets. The malware attacks Ethereum, Binance Smart Chain, Fantom, Polygon, Avalanche and Arbitrum wallets.

As the researchers found out, the bitcoin address sewn into this variant of the malware received 1.3 BTC (about $ 54 thousand), intercepting 422 transactions.