Threat Actors actively selling Malware on Cybercrime Forums
Introduction
Banking malware has evolved into a major security risk to all financial companies and institutes. We have observed a significant increase in the attacks using banking malware to carry out large-scale financial attacks.
Moving large amounts of funds online has always been considered a high-risk operation in the financial sector. Due to the complex structure of the International Bank Account Number (IBAN), it is challenging even for frequent users to remember their IBAN. Threat Actors have evolved to exploit this specific human vulnerability using clipper malware.
IBAN clipper malware is a type of banking malware that swaps the IBAN of the recipient with the Threat Actor’s IBAN account during an ongoing financial transaction.
According to CERT Poland,IBAN swap malware was initially discovered targeting financial sector targets in October 2013. Since then, it has evolved multiple times to evade existing security mechanisms and software.
IBAN Clipper Malware
In June 2022, Cyble Research Labs identified a TA on a cybercrime forum offering monthly subscription-based services of clipper malware targeting Windows operating systems.
We have observed that the TA only sells malware solutions to target IBANs corresponding to the Single Euro Payment Area (SEPA) registered countries.
The TA claimed to be able to modify the IBAN from the victim’s clipboard from a command-and-control panel to hijack an ongoing financial transaction on the victim’s machine/browser.
How does IBAN Clipper Malware operate?
IBAN clipper malware enters the victim’s system like any other malware, from Phishing Emails/attachments, Malicious URLs, or downloading infected software from the web.
A proof-of-concept video shared by the TA revealed its operations on a test machine. After the malware is successfully installed on the victim’s machine, this clipper malware carries out its operation in the following steps:
Step 1:
It captures all the text from the clipboard on the victim’s machine.
Step 2:
The malware identifies the victim’s IBAN from the text in the clipboard using the regex functions for further financial transactions.
Step 3:
The malware replaces the recipient’s IBAN with an IBAN configured by the Threat Actor in the instructions pre-set from the Command-and-Control (C&C) panel.
Step 4:
Once the victim proceeds with a banking transaction, the IBAN configured by the TA is pasted, and the funds will be transferred to the bank account controlled by the TA instead of the intended recipient’s account.
Figures 2 & 3 are the proof-of-concept demonstration video shared by TA:
Other clipper malware targeting Cryptocurrency transactions
We discovered multiple Threat Actors offering other variants of clipper malware on cybercrime forums.
- In June 2022, Cyble Research Labs identified a TA on a cybercrime forum for selling a variant of clipper malware that can modify the cryptocurrency wallet address while making a blockchain transaction.
- In May 2022, Cyble Research Labs identified a TA that leaked the source code of the Stealerium malware written in C# that claims to have the capabilities of a stealer, keylogger, and clipper malware.
- In April 2022, Cyble Research Labs identified a TA posting on a cybercrime forum selling Imperious clipper, which claims to be capable of modifying various cryptocurrencies and can be operated using a Telegram bot.
Conclusion
Cybercriminals have been improving and adapting their tactics, acquiring malware to evade antivirus software, and committing financial crimes at a high frequency. We have observed clipper malware play a central role in upscaling financial fraud in the cybercrime ecosystem.
Many cybercriminals purchase malware and add-on services from underground forums to carry out financial frauds without specific skill sets. Due to the selling of banking clipper malware and services, the finance industry is more prone to cyber-attacks and financial fraud.
