ComboJack Cryptojacking

The ComboJack software is a Trojan that is used for crypto-jacking on Windows-powered machines. The term crypto-jacking is comprised of two words — cryptocurrency and hijacking — meaning that it is an operation where digital money is hijacked in the process. There are two main types of crypto-jacking. The first involves injecting code on a site that exploits the processors on the computers of site visitors. The second case involves infecting PC users with a CPU/GPU miner that runs in the system background. An example for the first case is the Minr Cryptojacking campaign while the Securedisk.exe CPU Miner can represent the second case.

How is ComboJack Transmitted to Users?

The people behind the ComboJack malware are reported to send waves of spam messages that invite users to open a PDF file and check if they are not the owner of a lost passport. The misleading PDF file includes a particular macro script that is executed by Windows automatically. The script tells Windows to connect to a remote server, download the ComboJack Trojan and run it. The operation does not manifest warnings, desktop notifications on the user screen or sounds.

How ComboJack Cryptojacking Works?

It is important to make the distinction that it collects crypto-money — it does not mine on its own. The ComboJack Trojan is designed to enable third parties to hijack funds from the digital wallets of users that may have invested in Bitcoin, Monero, Ethereum and Litecoin. Once, the ComboJack Trojan is loaded into the system it waits for the user to open a cryptocurrency market and wallet containers. Whenever the infected user tries to transfer money, ComboJack would edit the content saved in the clipboard. If you are familiar with cryptocurrencies and digital wallets you are likely to know that the wallet addresses are inconveniently long and feature a string of random letters and numbers. It is not possible for most users to remember them and that is why these addresses are usually copied in the clipboard.

This is where we come back to how the ComboJack Trojan works. The malware is designed to alter the copied addresses and make sure the user is provided with a different paste code. Researchers discovered that ComboJack interprets the addresses in the clipboard and recognizes what type of cryptocurrency is used for transfers by monitoring the length of the text and the starting letter or number.

Are You Infected with ComboJack?

It is hard to say how many users have been compromised by the ComboJack malware because it has many versions and there is no unified network for gathering that data type. It is possible that ComboJack may have entered a few hundred computers or more. As mentioned above, the infection with ComboJack is not likely to manifest visual and auditory clues except for the modified pasted addresses. You should make sure to double-check the payment forms where you paste wallet addresses and avoid spam emails to minimize the risk of losing money to the ComboJack crypto-jacking campaign. It is a good idea to run regular scans with a trusted anti-malware service so that you can monitor your PC’s health.