Implementing A Clipboard Malware For Cryptocurrency Wallets

The clipboard is a buffer that is used for storing temporary data we have copied. When we click the “copy” button, we actually tell our computer to store the data we want to copy, to this specific buffer. After that, when we “paste” those data, we ask our computer to recall those data from the buffer.

In this article, I am going to show you how to implement a very simple but very harmful crypto-malware. This malware is actually a python script that can take over the control of a victim’s clipboard.

Scenario

Consider we are having three Bitcoin users (Alice and Bob) and a malicious user (Eve). Since Alice, Bob, and Eve are Bitcoin users, they all own a Bitcoin wallet. Each Bitcoin wallet consists of a Bitcoin address.

Alice wants to send some Bitcoin to Bob, and therefore Bob has sent his address to Alice through an email. When Alice opens her wallet and hits the “send” button, the wallet will ask her for Bob’s address. Now Alice is going to copy Bob’s address from the email which he has sent her. Alice pastes the address, and she successfully sends the Bitcoins to Bob.

The idea of this attack is for Eve to get access to Alice’s clipboard. Once Eve achieves this, she can take control of the clipboard and decide what data Alice should copy and paste.

Implementation

Now that we have explained the general plan of the attack, let’s see how we will implement this malware.

For this script, we are going to use the pyperclip library. Pyperclip is a python library that allows us to interact with the clipboard.

First, we have the getClipboard() function, which is going to read the clipboard buffer. We assign a variable called data, where we store the content of the clipboard by using the .paste() method.

getClipboard() function

We now have to define a condition. This “if” condition checks whether the victim has copied a Bitcoin address or not. The length of a Bitcoin address could range from 26 to 34 characters, so in this condition, we actually check whether the victim has copied a 26 or more character value. If the condition is true then the setClip() function is invoked.

setClipboard() function takes over the control of the clipboard and changes the data that is stored in it. First, we determine our Bitcoin address as a parameter in the .copy method. The .copy method copies a value in the clipboard buffer, which in our case this value is our Bitcoin address. Next, the .paste method will paste whatever is stored in the clipboard buffer.

setClipboard() function

Finally, we will add a while loop that will run continuously and will constantly call the getClipboard() function. The completed code is shown below:

Full script

Results

W now assume that we want to copy and paste Bob’s address, in order to send him an amount of Bitcoin. When we go to our wallet and paste this address, the address which is pasted is not Bob’s address but the address which has been determined in the script.

This attack is based on the fact that when users send a number of cryptocurrencies to other users, they don’t check the pasted address.

So, if you don’t want to be the victim of such an attack, always check the address to which you are going to send your cryptocurrencies.

Department of Electronics and Computer Science, University of Southampton