CryptoShuffler Cryptojacking

CryptoShuffler is Trojan that was detected by AV engines in August 2016 and was reported to receive significant updates in June 2017. Parts of the code associated with the CryptoShuffler malware may have been used in the development of a similar Trojan called ComboJack that we covered in May 2018. The CryptoShuffler Trojan is reported to affect people that are heavily invested in mining cryptocurrencies. Malware authors might use ads, spam emails and referral programs associated with mining digital coins to deploy the CryptoShuffler program to users.

CryptoShuffler Has a Straightforward Model of Operation

The CryptoShuffler Trojan is not set for collecting crypto-money from infected users primarily. CryptoShuffler functions in a simple way and capitalizes on the fact that when you transfer funds in Bitcoin, among other currencies, you work with long wallet addresses and most users just copy and paste said addresses in payment forms. The crypto-jacking model employed by CryptoShuffler involves clipboard monitoring and modification of the replicated data in real time seconds before the compromised user pastes it to a wallet address. The CryptoShuffler is designed to run in the system background, and it may inject code into the legitimate ‘svchost.exe’ on Windows to avoid detection.

The CryptoShuffler malware keeps track of what programs are opened by the user, and whether the user is visiting a cryptocurrency platform on the Internet. Whenever CryptoShuffler detects that the user has copied a long string of characters, it compares the string to known identification codes for Bitcoin, Ethereum, Zcash, Monero, Dash and Dogecoin. Once CryptoShuffler has determined what type of address is copied it retrieves a corresponding wallet address from its ‘Command and Control’ server so that it can provide the infected user with a new wallet address. Unattentive users may not notice that a program has modified the wallet address, which they believe to match the one they copied.

How to Protect Your PC against the CryptoShuffler Cryptojacking

Compromised users might end up transferring their money to a wallet address controlled by the people behind the CryptoShuffler Cryptojacking campaign. PC users are advised to double-check the pasted wallet addresses always. You should install a trusted anti-malware shield and avoid using pirated software that might install the CryptoShuffler onto your machine. Also, make sure the Internet browser you use to manage your cryptocurrencies is the latest version, and you may want to install the uBlock app from h[tt]ps://www.ublock[.]org that is known to block corrupted advertisements and JavaScript-based crypto-jackers.