Cryware
Cryware
Microsoft's latest research investigates the rise of Cryware targeting hot wallets (aka non-custodial cryptocurrency wallets). Cryware takes advantage of the accessibility of data stored locally on a user's device to initiate information theft and conduct crypto transactions. An attacker's objectives are aimed to obtain data associated with the hot wallet including private keys, seed phrases, and wallet addresses. With the information obtained a crypto transaction can be initiated and using the irreversible nature of blockchain transactions, and the victim is unable to recover their funds. The transaction can also be conducted without victim consent. Given the data strings used for wallet data (private key, seed phrase, and wallet address), attackers can craft regular expressions (regexes) to locate the information using a variety of techniques including, memory dumping, keylogging, exfiltrating the wallet's application storage files, and clipping and switching. The clipping and switching technique involves "a Cryware monitors the contents of a user’s clipboard and uses string search patterns to look for and identify a string resembling a hot wallet address. If the target user pastes or uses CTRL + V into an application window, the Cryware replaces the object in the clipboard with the attacker’s address."