Evrial is a cryptocoin malware stealer which takes control of the clipboard to get “easy money”.
ElevenPaths has taken a deep technical dive into the malware itself, to show how it technically works, with a quite self-explanatory video. Aside, we have followed the steps of its Russian creator and found that his scam has been targeting other scammers themselves.
By the end of 2017, CryptoShuffle was a malware sample capable of reading the clipboard and modifying cryptocurrency addresses found there. Later, someone realized that there could be some business on providing these features as a service and started to sell the platform itself calling it “Evrial”. The product was formed by a .NET malware sample capable of stealing passwords from browsers, FTP clients, Pidgin and it could also modify the clipboard on the fly so as to change any copied cryptocurrency address to whatever address he wanted to.
Evrial allows the attacker to control it all from a comfortable panel where the stolen data can be easily explored. When the attacker buys the application, he can set his “name” for logging into the panel which will be hardcoded in the code, so that the shipped Evrial version is unique for him.
When you want to make a Bitcoin transfer, you usually copy and paste the destination address. In this sense, the attacker waits until the user, trusting in the clipboard action, sends a new transaction to the copied cryptocurrency address, without knowing that the recipient’s address has been silently modified to one that belongs to the attacker. The malware performs this task in the background for different types of address including Bitcoin, Litecoin, Ethereum and Monero addresses as well as for Steam identifiers and Webmoney WMR and WMZ units.
The author exposes his username in Telegram: @Qutrachka. The account is in the source code in order to be able to contact him. Using this information and some other analysed samples, it has been possible to identify users in different deep web forums under the name Qutra whose main objective: sell this malicious software. There are also evidences that CryptoSuffer malware was linked to the same threat actor after identifying a publication in Pastebin explaining the functionalities of this family and published under the same user.
We are able to guess how much it is in every wallet. He has received a total of 21 transactions into the Bitcoin wallet, supposedly from his victims, collecting approximately 0.122 BTC. If ransomware wallets usually receive the same amount from its victims, here the range is wider because the legitimate payments that the victim wants to do are, of course, of different amounts.
The attacker has moved all the money to several addresses to try to blur the trail of his payments. The attacker has received 0.0131 Litecoins as well, but this amount is still available in his wallet. On the other hand, it has not been possible to track any payments related to his Monero account because of how this technology works so as to hide the information of which parties have been involved in each operation. At the same time, we could not find out any additional information linked to his various Webmoney accounts (WMR and WMZ). Anyway, what is clear is that this type of malicious behavior is technically viable while it is being used in the wild.
About the Author:
(Security Affairs – Evrial , cryptocoin malwarehackers)