Malware that rummages through your clipboard is not new – after all, the clipboard is how you transfer data that’s important enough to move between two applications, so the contents of the clipboard are self-selectingly interesting to crooks.
In fact, in an amusing irony, the ⌘ key used on Macs for the copy-and-paste combinations ⌘C and ⌘V (the equivalent of Ctrl+C and Ctrl+V on Windows) is officially known in Unicode as the
PLACE OF INTEREST SIGN.
Better yet for cybercrimals, but worse still for you, is that the clipboard is often the primary way that you “type in” critical machine-generated data that’s a hassle to enter character-by-character each time you need it.
You probably use the clipboard yourself all the time for “text strings of interest” such as passwords like
P455//()Rdz, invoices or account numbers like
2BBE-64-903555X2-B, and cryptocurrency payment addresses like
We recently wrote about a malware sample with the unassuming name of Troj/Agent-AZHF that spies on your clipboard specifically to look out for cryptocoin addresses that you’re about to send money to – it knows how to recognise addresses for Bitcoin, Dogecoin, Litecoin, Dash, Ethereum, Namecoin, Zcash and Peercoin.
Clipboard-manipulating malware might sound pretty unspohisticated at first, but it can steal digital content from you without the hassle of cracking passwords, reading cryptocoin wallets, peeking at private keys, and even without making any network connections to suspicious command-and-control servers.
If you have any questions or comments about the video, please leave them below and we’ll do out best to answer them.
Thanks for watching, and remember: after you copy-and-paste, check twice, click once.