Cyble – Multiple New Clipper Malware Variants Discovered In The Wild

Clipper Malware Infections Pose Grave Risk to Cryptocurrency Users

In the realm of cybersecurity, malicious programs continuously evolve to exploit the vulnerabilities of unsuspecting victims. One particularly notorious threat that has gained popularity is the Clipper malware. This Clipper malware specifically targets cryptocurrency users, aiming to deceive and defraud them of their valuable digital assets.

The Clipper malware operates by cunningly hijacking cryptocurrency transactions, stealthily replacing the victim’s wallet address with that of the Threat Actors’ (TAs) wallet address. Suppose an unsuspecting user tries to pay from their cryptocurrency account, and the transaction has been diverted to an entirely different recipient (the account of the TAs instead of the intended recipient). This alarming turn of events can lead to significant financial losses and potential devastation for the victim.

This variant of Clipper malware’s deceptive mechanism lies in monitoring the clipboard (a crucial buffer where data is temporarily stored during copy-paste operations). By surreptitiously observing the clipboard’s contents, the clipper identifies any cryptocurrency wallet addresses that the user copies. Once detected, the malware swiftly replaces the legitimate address with the wallet address owned by the TAs, manipulating the transaction outcome to the attacker’s advantage.

Previously, Cyble Research and Intelligence Labs (CRIL) uncovered several Clipper malware variants, including Laplas Clipper, IBAN Clipper, Keona Clipper, and many others. Recently, CRIL has encountered several variants of Clipper malware and observed a significant number of samples related to these variants being submitted to VirusTotal. The observed Clipper malware variants include:

Atlas Clipper
Keyzetsu Clipper
KWN Clipper

Technical Details

Atlas Clipper

The Atlas clipper can accommodate seven crypto wallet addresses and was initially priced at $100, but it is currently available at a discounted price of $50. The Atlas Clipper utilizes a Telegram channel for Command and Control (C&C) communication.

The figure below shows the TA’s Atlas Clipper advertisement on a Telegram channel with feature details.

Figure 1 Atlas Clipper advertisement in telegram channel — Figure 1 – Atlas Clipper advertisement in Telegram channel

We have taken the below sample hash for our analysis: (SHA256), dabc19aba47fb36756dde3263a69f730c01c2cd3ac149649ae0440d48d7ee4cf, which is a 64-bit Go compiled binary executable file, as shown below.

Figure 2 Go Build ID of Atlas Clipper — Figure 2 – Go Build ID of Atlas Clipper

When executed, the clipper creates a mutex named “YourMutex” to ensure that only a single instance of the malware runs on the victim’s machine at the time.

Once the mutex is created, the clipper creates a hidden directory called “YourDir” within the %appdata% location and drops a duplicate within that folder, as shown below.

Figure 3 Copy of itself file — Figure 3 – Copy of itself file

Following that, the clipper achieves persistence by adding the path of the dropped copy of itself file into the system’s run entry, ensuring it automatically runs when the user logs in.

Figure 4 Run entry for Atlas Clipper persistence — Figure 4 – Run entry for Atlas Clipper persistence

As an anti-analysis technique, the malware terminates specific processes such as “processhacker.exe,” preventing the monitoring and analyzing its malicious activities.

To carry out the clipper operation, the malware executes the following actions:

The Clipper malware initiates the clipper operation by invoking the OpenClipboard() function to gain clipboard access.
Then, the malware utilizes the GetClipboardData() API function to retrieve the clipboard value. By employing the IsClipboardFormatAvailable() function, the malware checks if the desired format, such as a specific cryptocurrency wallet address format, is accessible.
If the desired format is present, the malware replaces the clipboard content with its malicious data using the SetClipboardData() function. Once the manipulation is complete, the malware calls the CloseClipboard() function to release the clipboard, enabling other applications to access it again.

The figure below illustrates the original clipboard data, which represents a wallet address copied by the victim, alongside the modified clipboard data, which now contains the attacker’s wallet address (TA).

Figure 5 TAs wallet address replaced in Clipboard Atlas Clipper — Figure 5 – TA’s wallet address replaced in Clipboard (Atlas clipper)

The malware transfers victim information to its Telegram bot, including details such as the victim’s username, wallet address, the attacker’s wallet address, HWID (Hardware ID), installation path, and other relevant data.

In the end, the malware deletes the executed file, but the associated process continues to run, maintaining its presence on the system.

Keyzetsu Clipper

The Keyzetsu clipper can store and manage more than 12 cryptocurrency wallet addresses. This Clipper malware utilizes a Telegram channel to establish a connection with the TAs.

For analysis purposes, a clipper sample with the SHA256 hash 4f32246f0b4adf2065c1eeb41a25086679de800702c1d5016d96749b5e4bafd5 was taken. This particular sample 32-bit executable was compiled using .NET and obfuscated using an unknown obfuscator.

Figure 7 Static file details of Keyzetsu Clipper — Figure 7 – Static file details of Keyzetsu Clipper

In the beginning, the execution was intentionally delayed using the Sleep function, with the purpose of evading detection. Then, the clipper establishes a mutex named “2ILdX2JpexVZieT6mPv2i6Jp3HNFPlby” to ensure that only a single instance of the malware operates on the victim’s system at any given time.

After creating the mutex, the clipper proceeds to create a directory named “KMSAuto” within the %programdata% location. It drops a copy of itself within that folder with the filename “accc.exe”, as shown below.

Figure 8 Copy of itself file — Figure 8 – Dropping copy of itself file

Subsequently, the clipper achieves persistence by adding the path of the copied file (accc.exe) to the system’s run entry, ensuring automatic execution upon user login, as shown in the below figure.

Figure 9 – Run entry for Keyzetsu Clipper

It also adds a task schedular entry for persistence (The task is set to repeat every day) by using the following command line:

“schtasks.exe” /create /tn ACCC Tools /tr “C:ProgramDataKMSAutoaccc.exe” /st 13:55 /du 23:59 /sc daily /ri 1 /f

To perform the clipper operation, the malware observes the clipboard activity of the victims and retrieves the clipboard data by employing the GetClipboardData() function, as shown below.

Figure 10 Code of GetClipboardData function — Figure 10 – Code of GetClipboardData() function

Once the clipboard data is obtained, the malware extracts information regarding targeted cryptocurrencies and their associated regular expressions. These details are hardcoded within the malware file and are retrieved using base64 decoding and Gzip decompression methods facilitated by the Decrypt() function, as shown in the figure below.

Figure 11 Decrypt function — Figure 11 – Decrypt() function

Subsequently, the clipper executes the regular expression against the clipboard data, effectively detecting and identifying cryptocurrency wallet addresses.

The below image depicts the details of targeted cryptocurrencies and their regular expressions.

Figure 12 Targeted cryptocurrencies and their regular — Figure 12 – Targeted cryptocurrencies and their regular expressions

Upon identifying the targeted cryptocurrency wallet address using a regular expression, the malware employs the Clipboard.SetText() method to substitute it with a wallet address specified by the threat actor.

Figure 13 – Code to Replace TAs wallet address — Figure 13 – Code to Replace TA’s wallet address

The figure below illustrates the cryptocurrency wallet addresses of the TAs, which are encrypted using Base64 encoding and Gzip compression. These addresses are hardcoded within the malware file.

Figure 14 – Encrypted crypto addresses hardcoded within the file

The malware sends victim information to its Telegram bot, including details such as the victim’s username, computer name, victim’s wallet address, the attacker’s wallet address, installation date & path, file size, and other relevant data, as shown below.

Figure 15 Exfiltrated data — Figure 15 – Exfiltrated data

The clipper malware receives the following response using WebClient upon transferring the victim’s details.DownloadString(), as shown in the below figure.

Figure 16 – Code of WebClient.DownloadString function — Figure 16 – Code of WebClient.DownloadString() function

The details of the response from TA after sending the victim’s details, as illustrated in the below figure.

Figure 17 TAs communication — Figure 17 – TA’s communication

Finally, the malware drops a batch file in the %temp% folder and utilizes the commands within the batch file to delete the executed file. However, the related process remains active, allowing the malware to persist on the system.

KWN Clipper

We have chosen a sample hash (SHA256) for analysis: 7bd03cdf8339f0305d41cad6d3156610517160a116ffd8a4f77e91f56f43ec2e. This hash corresponds to a 64-bit executable file compiled using the Go programming language.

Upon execution, the KWN clipper malware performs the clipper operation using the following functions:

OpenClipboard(): This function allows access and modification of the clipboard. KWN Clipper would use this function to gain entry to the clipboard data.
GetClipboardData(): This function retrieves data from the clipboard in a specified format.
IsClipboardFormatAvailable(): This function checks if a particular data format is present on the clipboard. Clipboard malware might use this function to identify specific types of data and manipulate them.
SetClipboardData(): This function places data onto the clipboard in a specified format. Clipper malware can use this function to replace the victim’s copied wallet address with the attacker’s address.
CloseClipboard(): This function is used to conclude the malware’s access or modification of data and close the clipboard. By doing so, the malware ensures that other applications can resume normal clipboard operations.

The figure below shows the actual clipboard data, which represents a wallet address copied by the victim, alongside the modified clipboard data, which now contains the attacker’s wallet address (TA).

Figure 19 TAs wallet address replaced in Clipboard — Figure 19 – TA’s wallet address replaced in Clipboard

The figure below illustrates the presence of the clipper name “KWN” within the memory string during execution.

Figure 20 – Clipper name present in Memory strings

Similar to previous clipper malware, the KWN clipper also employs a Telegram channel to establish communication with the TA, as shown below.

Figure 21 KWN clipper telegram URL — Figure 21 – KWN clipper Telegram URL

The KWN Clipper malware continues to run, intercepting and redirecting any further cryptocurrency transactions initiated by the victim to the attacker’s wallet.

Conclusion

The rise of Clipper malware poses a notable danger to individuals engaged in cryptocurrency activities, as it specifically focuses on intercepting their transactions and redirecting funds to the wallets of TAs. The increasing popularity of cryptocurrencies has attracted the interest of TAs, constantly seeking novel ways to exploit crypto wallets. This escalating pattern of attacks, motivated by financial gains, emphasizes the necessity for enhanced security precautions. Commonly spread through phishing campaigns, Clipper malware is frequently accompanied by additional malware such as Coinminer, loaders, and stealers.

CRIL will continue monitoring the latest phishing or malware strains in the wild and update blogs with actionable intelligence to safeguard users against these notorious attacks.

Our Recommendations

Before submitting the cryptocurrency wallet information, verify the authenticity source.
Use strong passwords and enforce multi-factor authentication wherever possible.
Turn on the automatic software update feature on your computer, mobile, and other connected devices.
Use a reputed antivirus and internet security software package on your connected devices, including PC, laptop, and mobile.
Refrain from opening untrusted links and email attachments without first verifying their authenticity.
Educate employees on protecting themselves from threats like phishing/untrusted URLs.
Block URLs that could spread the malware, e.g., Torrent/Warez.
Monitor the beacon on the network level to block data exfiltration by malware or TAs.
Enable Data Loss Prevention (DLP) Solutions on the employees’ systems.

MITRE ATT&CK® Techniques

Tactic	Technique ID	Technique Name
Execution	T1204 T1059	User Execution Command and Scripting Interpreter
Persistence	T1053 T1547.001	Scheduled Task/Job Registry Run Keys / Start-up Folder
Defense Evasion	T1497 T1027 T1562	Virtualization/Sandbox Evasion Obfuscated Files or Information Disable or Modify Tools
Discovery	T1057 T1012 T1082 T1083	Process Discovery Query Registry System Information Discovery File and Directory Discovery
Collection	T1115	Clipboard Data
C&C	T1071 T1573	Application Layer Protocol Encrypted Channel

Indicators of Compromise

Indicators	Indicator Type	Description
95a9f65aee07cdd972376efd4c18ee7a 0f8174aa5d8994ccb720cf5d134283502caf5ae0 dabc19aba47fb36756dde3263a69f730c01c2cd3ac149649ae0440d48d7ee4cf	MD5 SHA1 SHA256	Atlas Clipper
fd8d8e6b0480d5f4ca50c2ee6a70801b cbea912f99d2fe8fedc8caab43652688a7afd575 4f32246f0b4adf2065c1eeb41a25086679de800702c1d5016d96749b5e4bafd5	MD5 SHA1 SHA256	Keyzetsu Clipper
14485f6b7327d25d8a255b9feca41e7b 647c7a8e08533212c7c8637712e41eae0bf49055 7bd03cdf8339f0305d41cad6d3156610517160a116ffd8a4f77e91f56f43ec2e	MD5 SHA1 SHA256	KWN Clipper

Source: https://blog.cyble.com/2023/06/30/multiple-new-clipper-malware-variants-discovered-in-the-wild/

Tags: FINANCIAL, MOBILE, PHISHING, EXPLOIT, EXFILTRATION, MONITOR, PERSISTENCE, CRYPTO