Trojan \u2018Trojan.CBHAgent\u2019 is using these Windows API\u2019s to manipulate the clipboard data.<\/p>\n It is a dropped DLL on victims system that will be run using rundll32.exe, a DLL host, with below command line.<\/p>\n $> C:\\WINDOWS\\system32\\rundll32.exe “C:\\Documents and Settings\\Administrator\\Desktop\\Sample\\CBHAgent.dll”,includes_func_runnded<\/i><\/em><\/p>\n Here \u2018includes_func_runnded\u2019 is an exported function which performs the clipboard monitoring. Also, for preventing its analysis, the author checked whether it is being run in virtual machine or not. Trojan is also exported \u2018detection_VMx\u2019 function to use it as anti-VM check.<\/p>\n Looking at its file structure, it is found that the Trojan sample is packed with PECompact packer to make analysis more difficult. List of bitcoin addresses which are to be\u00a0pasted, are present in resource of file as plain text. More than 2.3 million bitcoin addresses are listed out in the file. All these addresses are sorted so that it would help while searching the target bitcoin address.<\/p>\n This resulted the file size to 80 MB.<\/p>\n On execution, it starts monitoring clipboard data continuously and checks if there is any like bitcoin address. For validation, it uses regular expression. Once matched, it will be replaced\u00a0with\u00a0a address present in the list.\u00a0The Trojan is not affecting any data other than bitcoin addresses.<\/p>\n This malware runs in the background so users are not easily able to identify that system is infected by Trojan.CBHAgent. We strongly recommend you to double check bitcoin address while doing any bitcoin transaction. The trojan also ensures its persistence in the system by creating a copy in %TEMP% directory and adding its\u00a0run entry in registry. It creates a mutex with name as \u2018MODULE_DXDIAG_1\u2019.<\/p>\n Quick Heal detects the Trojan as \u2018Trojan.CBHAgent.S3076164\u2019.<\/p>\n I<\/b><\/strong>ndicator of <\/b><\/strong>compromise<\/b><\/strong>:<\/b><\/strong><\/p>\n 48b66dd02a336eb049a784b3fd1beb5312fb8c078b3729d49e92e3e986c98e91<\/p>\n Conclusion:<\/b><\/strong><\/p>\n This malware would attract the other malware authors for exploiting clipboard. In recent future, similar attacks can be observed. So, we should always be careful about the activities which are most common in our day to day life. Malware authors are playing with mentality of the human being and making more sophisticated versions of their payload.<\/p>\n Other preventive measures that should be taken:<\/b><\/strong><\/p>\n – Always use security software with the latest updates.<\/p>\n – Whenever possible, manual verification should be done to prevent the big loss.<\/p>\n – Install third party software as per your need only. Unwanted applications can be a source of malware.<\/p>\n – Operating system patches are applied on time and installed software are up-to-date.<\/p>\n – Avoid clicking on links and downloading attachments in emails from unknown sources.<\/p>\n Subject Matter Experts:<\/strong><\/p>\n Pandurang Terkar\u00a0| Quick Heal Security Labs<\/p>\n","protected":false},"excerpt":{"rendered":" How often do you store your important data in files? It\u2019s very common, right? This data may be URLs, topics, personal data like contacts, email-ids, usernames of different portals and sometimes passwords too (though always recommended to not to do so). We very casually copy this data and paste it in respective applications. In the […]<\/p>\n","protected":false},"author":47,"featured_media":86536,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1613,24,5],"tags":[719],"class_list":["post-86531","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cryptojacking","category-malware","category-security","tag-bitcoin"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/86531"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/47"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=86531"}],"version-history":[{"count":13,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/86531\/revisions"}],"predecessor-version":[{"id":86551,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/86531\/revisions\/86551"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/86536"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=86531"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=86531"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=86531"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/07\/Trojan.CBHAgent_ClipboardAPIs-300x32.png\")
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/07\/Trojan.CBHAgent_BitCoinAddressList-194x300.png\")
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/07\/Trojan.CBHAgent_RegularExpressionCheck-2-300x185.png\")