Key Takeaways
- A Threat Actor (TA) was observed using a Tor Browser phishing website to target Italian-speaking users.
- The executable, downloaded from the phishing site, is a .Net binary obfuscated with SmartAssembly. It acts as a dropper, deploying both a legitimate Tor Installer and the malicious “Pure Clipper” payload.
- Pure Clipper was developed by the same TA who was behind PureLogs.
- Alibaba2044, a threat actor (TA) known for multiple instances of targeting Italy, was previously identified using PureLogs in their spam campaigns during 2022. We believe that the same TA could be behind this operation as well.
- This TA has used PureCrypter as a loader and a crypter for the Clipper payload. It utilizes a fileless malware technique by storing its binary data in the Windows Registry, enhancing its stealth and persistence.
- The creation of a Task Scheduler entry ensures the malware’s continuous operation in the background, running a Base64-encoded PowerShell script to retrieve and execute the binary data stored in the Registry.
- The clipper interacts with the Command and Control (C&C) when a user copies or pastes a cryptocurrency address. It swaps the address with the attacker’s address and captures a screenshot, sending both addresses and the screenshot to the TA’s Discord webhook for exfiltration.
- Additionally, Cyble Research and Intelligence Labs (CRIL) also encountered an incident in which a TA employed this phishing site to target fellow TAs within a cybercrime forum, using an InfoStealer for their malicious activities.
Overview
In a recent investigation, the CRIL found an operation orchestrated by a Threat Actor (TA) through a deceptive phishing site that imitated the official Tor Project website. The TA was spreading Pure Clipper in this operation.
Clipper is a type of malware that’s designed to steal or manipulate cryptocurrency-related data, particularly cryptocurrency wallet addresses. Clipper malware typically operates by monitoring the user’s clipboard, where copied information is temporarily stored. When it detects a cryptocurrency wallet address being copied (e.g., a Bitcoin or Ethereum address), it replaces that address with an address controlled by the attacker. As a result, if the user pastes the manipulated address when making a cryptocurrency transaction, the funds get sent to the attacker’s wallet instead of the intended recipient.
Pure Clipper is created by the same TA known as “PureCoder,” who was behind PureLogs. PureCoder, the TA behind this software, maintains a website where they actively advertise and sell a range of malicious software programs, catering to diverse cybercriminal operations. These offerings include miners, information stealers, VNC (Virtual Network Computing) tools, and crypters, highlighting the broad spectrum of cyber threats they support.
Pure Clipper is available for purchase on a lifetime subscription model priced at $99. The figure below shows the PureCoder site.
This phishing campaign incorporates various techniques, including droppers, obfuscators, crypters, fileless malware, crypto address theft, and exfiltration via Discord. Notably, the TA specifically targeted Italian-speaking users, as evident from the phishing site’s default language.
This investigation identified a series of notable findings. The TA employed a .NET dropper concealed by SmartAssembly, which included both a legitimate Tor Installer and a PureCrypter binary, which acts as a loader and crypter for the Pure Clipper payload. The Clipper is designed to steal cryptocurrency addresses, interacting with the TA’s Command and Control (C&C) system through Discord. The operation showcased persistence through Registry manipulation and Task Scheduler entries, ensuring continuous background activity.
Further analysis uncovered cryptocurrency addresses, likely linked to the TA, involved in recent transactions, indicating successful receipt of payments from multiple victims. Additionally, a noteworthy development revealed a TA-on-TA attack within a cybercrime forum, where the phishing site was leveraged to deploy an InfoStealer, exemplifying the TA’s aggressive tactics within the threat landscape.
Attributions
Alibaba2044, a TA known for repeatedly targeting Italy, was previously identified using PureLogs in their spam campaigns throughout 2022. In 2023, researchers from Uptycs reported on a campaign that bore similarities to these earlier activities. These findings raise the possibility that the same TA, Alibaba2044, might be the driving force behind this current operation as well, targeting Italy. The TA’s consistent use of specific tools and tactics suggests a connection between these separate campaigns.
Initial Infection
The initial infection starts with the phishing site hxxps[:]//torprojectdownloadfree[.]site, which impersonates the official Tor Project website. It replicates the site’s design, layout, and content to deceive users. The default language of the phishing site is set to Italian. This site provides an option to change the language, but apparently, upon changing the language, the site gives 404, suggesting that TA could be targeting Italian-speaking users exclusively.
The website offers users the choice to download what seems to be the Tor installer, but it disguises itself as a malware dropper. Rather than installing the genuine Tor software, this site downloads malicious software on the user’s device.
We also came across a post on a cybercrime forum where a Threat Actor (TA) shared a Tor site phishing link: hxxps://torprojectdownloadfree.site/confset.exe. This link is associated with an InfoStealer, suggesting that the TA may have been targeting other TAs on the forum. Upon further investigation, we discovered that this malware payload was hosted on a specific URL and couldn’t be downloaded by merely visiting the phishing site.
Technical Analysis
Dropper
The executable downloaded from the phishing site is a .Net binary (SHA256: fbfa233f980042bb92c121e38d9307ef9d48e842fa7c9bda09d9f89479df7771) and has been obfuscated with SmartAssembly, a tool designed for obfuscating .Net files. This executable serves as a dropper, housing two files within its resources, as depicted in the figure below.
On execution, it processes files from resources and drops them with the following names in the %temp% directory :
- torbrowser-install-win64-12.5.3_ALL.exe: Clean Tor Installer file
- ScHoster.exe: PureCrypter Loader
The figure below shows the WriteFile and Process Create operations performed by this dropper.
After dropping files in the %temp% directory, it runs the Clean Tor installer file and executes the clipper payload discreetly in the background to conceal its malicious activities from the user. The figure below illustrates the Tor installer.
Pure Clipper
First Stage
The initial executable (ScHoster.exe) is a .NET loader designed to handle a GZip-compressed stream that contains a reversed DLL file. It decompresses the data, reverses the byte order, and executes it directly without storing it on disk, as shown in the figure below.
The malware employs the Assembly.Load() method to execute the second stage DLL file at runtime. This technique is utilized to maintain stealth. The figure below illustrates the method used for the runtime execution of the DLL file.
The figure below shows the DLL named “Ovsfnx.dll” loaded in runtime.
Second Stage
The second stage DLL (Ovsfnx.dll), is the Pure Clipper payload, which is obfuscated using PureCrypter. PureCrypter is a fully featured loader created by a TA known as “PureCoder.” It has been actively developed and advertised for sale since at least March 2021. PureCrypter is available for purchase on PureCoder’s website with a price tag of $59. This loader is primarily used to distribute various types of malwares, including remote access trojans (RATs), information stealers, etc.
PureCrypter uses obfuscation techniques, such as SmartAssembly, to protect its code and evade detection. It also employs the use of reversed, compressed, and encrypted payloads to make it harder for antivirus engines to identify the malware. The figure below shows the PureCoder site.
On execution, it starts processing multiple resources present in the second payload DLL file. One of these resources, named “6XSFUHcqsXNKPHEYxE.ZiCerlvdDMR9CjDAIv”, highlighted in Figure below, contains the Pure Clipper data file. The figure below shows the data file.
This data file consists of the following, which is essential for Clipper operations:
- Regular Expressions to detect Crypto Addresses
- Base64 encoded TA’s crypto addresses
- Base64 encoded Discord webhook URL
- PowerShell script
The Pure Clipper is designed to target more than 10 cryptocurrencies and employs the following regular expressions. These patterns are used to identify cryptocurrency addresses in the clipboard. When a match is found, it replaces the address with the attacker’s cryptocurrency address to facilitate theft.
| RegEx | Cryptocurrencies |
| \b(bc1|[13])[a-zA-HJ-NP-Z0-9]{25,42}\b* | Bitcoin |
| \b0x[a-fA-F0-9]{40}\bL | Ethereum |
| \b(4[0-9AB][1-9A-HJ-NP-Za-km-z]{93}\b)F | Monero |
| \b[LM][a-km-zA-HJ-NP-Z1-9]{26,33}\b( | Litecoin |
| \bG[0-9a-zA-Z]{55}\b( | Stellar |
| \bR[0-9a-zA-Z]{33}\bb | Ripple |
| \bD{1}[5-9A-HJ-NP-U]{1}[1-9A-HJ-NP-Za-km-z]{32}\bj | Dogecoin |
| \b((bitcoincash|bchreg|bchtest):)?(q|p)[a-z0-9]{41}\bb | Bitcoin Cash |
| \b([1-9A-HJ-NP-Za-km-z]{104}|addr1[a-z0-9]{98})\b( | Cardano |
\bT[A-Za-z1-9]{33}\b | Tron |
In the data file, we identified two cryptocurrency addresses, one for Bitcoin and one for Ethereum, which may be associated with TA. Upon closer examination, we noticed that these addresses had received numerous recent cryptocurrency deposits, indicating that they might have been transferred from victims. This suggests that the TAs might have successfully received cryptocurrency payments from multiple victims. The figure below shows the TA’s BitCoin transaction history.
The figure below shows the TA’s Ethereum transaction history.
Persistence
The Pure Crypter and loader employ a specific technique for stealth and persistence. It starts by creating a Registry Key at HKEY_CURRENT_USER\SOFTWARE\dabbj. Within this Registry Key, it stores the bytes of the ScHoster.exe file in reverse order in the Registry Value “ehac“. This technique is commonly referred to as “Fileless malware.” The figure below shows the Registry Key created by the loader.
After storing the payload in the Registry, the “Crypter malware proceeds to establish a Task Scheduler entry named “ehac.” This task is designed to execute the following command after a delay of one minute, and it will continue to run indefinitely until the user logs out of the system:
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -NoProfile -NoExit -Enc {base64encoded PowerShell script}
This command runs a Base64 encoded PowerShell script, which retrieves the binary data added to the registry in the above step. It employs several options to hide the PowerShell window, bypass execution policies, and maintain a hidden profile. By creating a Task Scheduler entry that repeatedly executes this command with a one-minute delay, the clipper malware ensures continuous operation in the background.
The figure below shows the task scheduler entry.
The base64 encoded PowerShell script used in the task scheduler entry actually retrieves the ScHoster.exe binary from the Registry, reverses it to its original order, loads it as an assembly, and then executes it. The figure below shows the decoded PowerShell script.
Exfiltration
The clipper payload interacts with TA’s Command and Control (C&C) system only when a victim performs a copy/paste operation involving cryptocurrency addresses. When a user copies or pastes a cryptocurrency address, the payload replaces it with TA’s address and captures a screenshot of the user’s screen. Subsequently, it exfiltrates both the victim’s and TA’s cryptocurrency addresses, along with the screenshot, using TA’s Discord webhook. The figure below illustrates the exfiltrated data.
Conclusion
The presence of Pure Clipper signals an ongoing and dynamic landscape of digital threats. With a recurrent focus on Italian-speaking users and a consistent pattern of using potent malware tools – including PureLogs and the Pure Clipper – to facilitate cybercriminal activities, we suspect that these activities might be linked to Alibaba2044.
The potential consequences of this campaign are far-reaching, posing a significant threat to cryptocurrency enthusiasts and organizations. The TA’s activities underscore a clear financial motivation, revealing a persistent quest for monetary gain through cybercrime.
Our Recommendations
- To prevent the malware from persisting on the system, implement a rule that prohibits the creation of a specific registry key, identified as “dabbj,” within the HKCU\Software (HKEY_CURRENT_USER) hive.
- Implement application whitelisting to restrict the execution of non-authorized applications, including any attempts to change Registry entries.
- Regularly review Task Scheduler entries for any unusual or unauthorized tasks, especially those with suspicious names like “ehac.”
MITRE ATT&CK® Techniques
| Tactic | Technique | Procedure |
| Initial Access (TA0001) | Phishing (T1566) | This malware reaches users via phishing sites. |
| Execution (TA0002) | User Execution (T1204) | The user needs to manually execute the file downloaded from the phishing site. |
| Execution (TA0002) | Command and Scripting Interpreter: PowerShell (T1059.001) | Uses PowerShell Script to load the Clipper binary from Registry. |
| Persistence (TA0003) | Scheduled Task/Job (T1053) | Creates a Task Scheduler entry. |
| Defense Evasion (TA0005) | Masquerading (T1036.008) | Downloads file disguised as a legitimate application. |
| Defense Evasion (TA0005) | Modify Registry (T1112) | Uses reg.exe to modify the Windows registry. |
| Defense Evasion (TA0005) | Deobfuscate/Decode Files or Information (T1112) | Files are obfuscated using a Pure crypter. |
| Defense Evasion (TA0005) | Obfuscated Files or Information: Fileless Storage (T1027.011) | The loader binary is stored in the registry. |
| Collection (TA0009) | Clipboard Data (T1115) | Monitors clipboard data and replaces crypto address with their address. |
| Collection (TA0009) | Screen Capture (T1113) | Takes a screenshot of the victim’s screen and Exfiltrates it. |
| Exfiltration(TA0010) | Exfiltration Over Web Service (T1567) | Uses discord webhook to exfiltrate data. |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| 009c5048e9c55ca33fb930ce97e8c5e1 88ba199aeb9b93ae28b4781edf7904c946763103 fbfa233f980042bb92c121e38d9307ef9d48e842fa7c9bda09d9f89479df7771 | MD5 SHA1 SHA256 | Dropper |
| 43c29e5e42f4870fa4bbb30abad26012 392ccfa22f19f6e466a973ac654e450a62391572 cfa592b0128bc126fbf3fb66c551a8d87223b196f5e0cd87e60b88bdc688c6e0 | MD5 SHA1 SHA256 | ScHoster.exe |
| xhxxps[:]//torprojectdownloadfree.site | URL | Phishing Site |
