Clipper Malware Infections Pose Grave Risk to Cryptocurrency Users
In the realm of cybersecurity, malicious programs continuously evolve to exploit the vulnerabilities of unsuspecting victims. One particularly notorious threat that has gained popularity is the Clipper malware. This Clipper malware specifically targets cryptocurrency users, aiming to deceive and defraud them of their valuable digital assets.
The Clipper malware operates by cunningly hijacking cryptocurrency transactions, stealthily replacing the victim’s wallet address with that of the Threat Actors’ (TAs) wallet address. Suppose an unsuspecting user tries to pay from their cryptocurrency account, and the transaction has been diverted to an entirely different recipient (the account of the TAs instead of the intended recipient). This alarming turn of events can lead to significant financial losses and potential devastation for the victim.
This variant of Clipper malware’s deceptive mechanism lies in monitoring the clipboard (a crucial buffer where data is temporarily stored during copy-paste operations). By surreptitiously observing the clipboard’s contents, the clipper identifies any cryptocurrency wallet addresses that the user copies. Once detected, the malware swiftly replaces the legitimate address with the wallet address owned by the TAs, manipulating the transaction outcome to the attacker’s advantage.
Previously, Cyble Research and Intelligence Labs (CRIL) uncovered several Clipper malware variants, including Laplas Clipper, IBAN Clipper, Keona Clipper, and many others. Recently, CRIL has encountered several variants of Clipper malware and observed a significant number of samples related to these variants being submitted to VirusTotal. The observed Clipper malware variants include:
- Atlas Clipper
- Keyzetsu Clipper
- KWN Clipper
The Atlas clipper can accommodate seven crypto wallet addresses and was initially priced at $100, but it is currently available at a discounted price of $50. The Atlas Clipper utilizes a Telegram channel for Command and Control (C&C) communication.
The figure below shows the TA’s Atlas Clipper advertisement on a Telegram channel with feature details.
We have taken the below sample hash for our analysis: (SHA256), dabc19aba47fb36756dde3263a69f730c01c2cd3ac149649ae0440d48d7ee4cf, which is a 64-bit Go compiled binary executable file, as shown below.
When executed, the clipper creates a mutex named “YourMutex” to ensure that only a single instance of the malware runs on the victim’s machine at the time.
Once the mutex is created, the clipper creates a hidden directory called “YourDir” within the %appdata% location and drops a duplicate within that folder, as shown below.
Following that, the clipper achieves persistence by adding the path of the dropped copy of itself file into the system’s run entry, ensuring it automatically runs when the user logs in.
As an anti-analysis technique, the malware terminates specific processes such as “processhacker.exe,” preventing the monitoring and analyzing its malicious activities.
To carry out the clipper operation, the malware executes the following actions:
- The Clipper malware initiates the clipper operation by invoking the OpenClipboard() function to gain clipboard access.
- Then, the malware utilizes the GetClipboardData() API function to retrieve the clipboard value. By employing the IsClipboardFormatAvailable() function, the malware checks if the desired format, such as a specific cryptocurrency wallet address format, is accessible.
- If the desired format is present, the malware replaces the clipboard content with its malicious data using the SetClipboardData() function. Once the manipulation is complete, the malware calls the CloseClipboard() function to release the clipboard, enabling other applications to access it again.
The figure below illustrates the original clipboard data, which represents a wallet address copied by the victim, alongside the modified clipboard data, which now contains the attacker’s wallet address (TA).
The malware transfers victim information to its Telegram bot, including details such as the victim’s username, wallet address, the attacker’s wallet address, HWID (Hardware ID), installation path, and other relevant data.
In the end, the malware deletes the executed file, but the associated process continues to run, maintaining its presence on the system.
The Keyzetsu clipper can store and manage more than 12 cryptocurrency wallet addresses. This Clipper malware utilizes a Telegram channel to establish a connection with the TAs.
For analysis purposes, a clipper sample with the SHA256 hash 4f32246f0b4adf2065c1eeb41a25086679de800702c1d5016d96749b5e4bafd5 was taken. This particular sample 32-bit executable was compiled using .NET and obfuscated using an unknown obfuscator.
In the beginning, the execution was intentionally delayed using the Sleep function, with the purpose of evading detection. Then, the clipper establishes a mutex named “2ILdX2JpexVZieT6mPv2i6Jp3HNFPlby” to ensure that only a single instance of the malware operates on the victim’s system at any given time.
After creating the mutex, the clipper proceeds to create a directory named “KMSAuto” within the %programdata% location. It drops a copy of itself within that folder with the filename “accc.exe”, as shown below.
Subsequently, the clipper achieves persistence by adding the path of the copied file (accc.exe) to the system’s run entry, ensuring automatic execution upon user login, as shown in the below figure.
It also adds a task schedular entry for persistence (The task is set to repeat every day) by using the following command line:
- “schtasks.exe” /create /tn ACCC Tools /tr “C:\ProgramData\KMSAuto\accc.exe” /st 13:55 /du 23:59 /sc daily /ri 1 /f
To perform the clipper operation, the malware observes the clipboard activity of the victims and retrieves the clipboard data by employing the GetClipboardData() function, as shown below.
Once the clipboard data is obtained, the malware extracts information regarding targeted cryptocurrencies and their associated regular expressions. These details are hardcoded within the malware file and are retrieved using base64 decoding and Gzip decompression methods facilitated by the Decrypt() function, as shown in the figure below.
Subsequently, the clipper executes the regular expression against the clipboard data, effectively detecting and identifying cryptocurrency wallet addresses.
The below image depicts the details of targeted cryptocurrencies and their regular expressions.
Upon identifying the targeted cryptocurrency wallet address using a regular expression, the malware employs the Clipboard.SetText() method to substitute it with a wallet address specified by the threat actor.
The figure below illustrates the cryptocurrency wallet addresses of the TAs, which are encrypted using Base64 encoding and Gzip compression. These addresses are hardcoded within the malware file.
The malware sends victim information to its Telegram bot, including details such as the victim’s username, computer name, victim’s wallet address, the attacker’s wallet address, installation date & path, file size, and other relevant data, as shown below.
The clipper malware receives the following response using WebClient upon transferring the victim’s details.DownloadString(), as shown in the below figure.
The details of the response from TA after sending the victim’s details, as illustrated in the below figure.
Finally, the malware drops a batch file in the %temp% folder and utilizes the commands within the batch file to delete the executed file. However, the related process remains active, allowing the malware to persist on the system.
We have chosen a sample hash (SHA256) for analysis: 7bd03cdf8339f0305d41cad6d3156610517160a116ffd8a4f77e91f56f43ec2e. This hash corresponds to a 64-bit executable file compiled using the Go programming language.
Upon execution, the KWN clipper malware performs the clipper operation using the following functions:
- OpenClipboard(): This function allows access and modification of the clipboard. KWN Clipper would use this function to gain entry to the clipboard data.
- GetClipboardData(): This function retrieves data from the clipboard in a specified format.
- IsClipboardFormatAvailable(): This function checks if a particular data format is present on the clipboard. Clipboard malware might use this function to identify specific types of data and manipulate them.
- SetClipboardData(): This function places data onto the clipboard in a specified format. Clipper malware can use this function to replace the victim’s copied wallet address with the attacker’s address.
- CloseClipboard(): This function is used to conclude the malware’s access or modification of data and close the clipboard. By doing so, the malware ensures that other applications can resume normal clipboard operations.
The figure below shows the actual clipboard data, which represents a wallet address copied by the victim, alongside the modified clipboard data, which now contains the attacker’s wallet address (TA).
The figure below illustrates the presence of the clipper name “KWN” within the memory string during execution.
Similar to previous clipper malware, the KWN clipper also employs a Telegram channel to establish communication with the TA, as shown below.
The KWN Clipper malware continues to run, intercepting and redirecting any further cryptocurrency transactions initiated by the victim to the attacker’s wallet.
The rise of Clipper malware poses a notable danger to individuals engaged in cryptocurrency activities, as it specifically focuses on intercepting their transactions and redirecting funds to the wallets of TAs. The increasing popularity of cryptocurrencies has attracted the interest of TAs, constantly seeking novel ways to exploit crypto wallets. This escalating pattern of attacks, motivated by financial gains, emphasizes the necessity for enhanced security precautions. Commonly spread through phishing campaigns, Clipper malware is frequently accompanied by additional malware such as Coinminer, loaders, and stealers.
CRIL will continue monitoring the latest phishing or malware strains in the wild and update blogs with actionable intelligence to safeguard users against these notorious attacks.
- Before submitting the cryptocurrency wallet information, verify the authenticity source.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices.
- Use a reputed antivirus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.
- Educate employees on protecting themselves from threats like phishing/untrusted URLs.
- Block URLs that could spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
- Enable Data Loss Prevention (DLP) Solutions on the employees’ systems.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
Command and Scripting Interpreter
Registry Run Keys / Start-up Folder
Obfuscated Files or Information
Disable or Modify Tools
System Information Discovery
File and Directory Discovery
|Application Layer Protocol|
Indicators of Compromise
|fd8d8e6b0480d5f4ca50c2ee6a70801b cbea912f99d2fe8fedc8caab43652688a7afd575 4f32246f0b4adf2065c1eeb41a25086679de800702c1d5016d96749b5e4bafd5||MD5|