A new information stealing Trojan called Evrial is being sold on criminal forums and being actively distributed in the wild. Like most infostealing Trojans, Evrial can steal browser cookies and stored credentials, but this Trojan also has the ability to monitor the Windows clipboard for certain text, and if detected, modify it to something else.
First discovered and tracked by security researchers MalwareHunterTeam and Guido Not CISSP, by monitoring the Windows clipboard for certain strings, Evrial makes it easy for attackers to hijack cryptocurrency payments and Steam trades. This is done by replacing legitimate payment addresses and URLs with addresses under the attacker’s control.
Fresh Evrial sample (at 8/67): https://t.co/ClNOvw2GbS
Interesting that previous versions had 20-30 (or more after some time on VT) detections, with only 2 features. Now it has all the features from Reborn Stealer (previously Ovidiy), and now it’s under 10…
— MalwareHunterTeam (@malwrhunterteam) January 16, 2018
Evrial being sold on criminal forums
According to MalwareHunterTeam, Evrial is currently being sold on Russian criminal forums for 1,500 Rubles or ~ $27 USD. In the advertisement, the seller states that after purchasing the product, an attacker gains access to a web panel that allows them to build an executable. This web panel also keeps track of what clipboard modifications have taken place and allows an attacker to configure what replacement strings should be used.
Included in the advertisement are some sample screenshots of the web panel as shown…