Trojanized TOR installers are being used to spread malware.
The malware is targeting users in Eastern Europe.
Clipper malware variants are known for being good at evading security by avoiding activation unless the clipboard data meet specific criteria.
- If the clipboard contains text, this variant scans its contents with a set of embedded regular expressions.
- If it finds a match, it is replaced with a randomly chosen address. Each sample has thousands of possible replacement addresses.
- The malware could be disabled by using a hotkey combination.
- Researchers stated they had recorded roughly 16,000 detections in 52 countries, most of which were in Russia and Ukraine. Other countries where the detections have been tracked are:
- The U.S.,
- Germany,
- France,
- China,
- the Netherlands,
- the U.K.,
- Uzbekistan, and
- Belarus.
