Threat Actors Striking Back with Financial Malware
In a recent blog, Cyble Research Labs (CRL) has highlighted an International Bank Account Number (IBAN) Clipper Malware after identifying a Threat Actor (TA) on a cybercrime forum offering monthly subscription-based services of clipper malware targeting Windows operating systems.
IBAN is an internationally agreed system developed to identify an overseas bank account. A Clipper malware targets a victim’s clipboard to perform unauthorized swapping operations by replacing the victim’s data with the TA’s data for the purpose of carrying out financial theft.
Most popular clippers target crypto transactions where the malware swaps the victim’s crypto address with the TA’s crypto address and tricks unsuspecting victims into sending money to the TA’s crypto address. Similarly, IBAN clipper targets bank account numbers. The figure below shows the post made by the TA on a cybercrime forum.
Technical Analysis
Sample SHA256: cf12c493db3e63cc7556abf37c4b72dc0b9f2d0673325e4908248621102c9a66
The IBAN Clipper sample analyzed in this blog is a 32-bit .NET-based binary targeting Windows-based operating systems.
The clipper imports the User32 library and uses the AddClipboardFormatListener method to monitor changes in the victim’s clipboard.
IBAN Clipper uses a multithreading approach for rapid clipper operation. It then extracts the clipboard data using the Clipboard.GetText() method, which retrieves text data from the clipboard in ASCII Text or UnicodeText format, depending on the operating system.
The clipper uses the below regular expression for identifying the IBAN in the victim’ clipboard:
- \\b(ES[0-9])[0-9]{20,26}\\b
If an IBAN is identified in the clipboard, the clipper will replace it with the number specified by the TA. The clipper malware fetches the IBAN details from a text file hosted on the TA’s remote server.
Persistence
Our research indicated that the clipper identifies it’s executable path using the getexecutingassembly().location method and copies itself in the Window’s startup folder causing it to automatically execute when the user logs in.
The clipper adds the following registry values under the key.
“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”:
- Microsoft Store
- Skype Web
The “Microsoft Store” Value contains the path of clipper binary from where it was executed initially, and “Skype Web” Value contains the path of startup folder where the clipper binary was copied in the above step. Adding entries to the “Run” key enables the operating system to execute these clippers automatically when the system restarts.
The figure below shows the new values added to the registry key for persistence.
Conclusion
While CRL continues its active monitoring for emerging threats, we observe multiple TAs developing more malware to carry out financial cybercrime. The IBAN Clipper malware is successful in its attempts to carry out fraudulent financial transactions only if the victim copies the bank account number during a transaction. The TA has also incorporated a feature of retrieving the bank account number from remote sites, making this clipper more sophisticated, stealthy, and capable, further enabling the TA to update the bank account number without altering the clipper payload.
Our Recommendations:
- Avoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as YouTube, torrent sites, etc., often contains such malware.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices.
- Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.
- Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
- Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
- Enable Data Loss Prevention (DLP) Solutions on employees’ systems.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Execution | T1204 | User Execution |
| Persistence | T1547.001 | Registry Run Keys / Startup Folder |
| Credential Access | T1555 T1539 T1552 T1528 | Credentials from Password Stores Steal Web Session Cookie Unsecured Credentials Steal Application Access Token |
| Collection | T1115 | Clipboard Data |
| Command and Control | T1071 | Application Layer Protocol |
| Impact | T1565.002 | Data Manipulation: Transmitted Data Manipulation |
Indicators of Compromise (IoCs):
| Indicators | Indicator type | Description |
| 6a977e7f362dc2d3ee994f91782624d1 ea5959210ba650b918deffd39874eba7b485ac75 cf12c493db3e63cc7556abf37c4b72dc0b9f2d0673325e4908248621102c9a66 | MD5 SHA1 SHA256 | Payload |
