Cyble - Dissecting IBAN Clipper - Cybersecurity News Everyday

Threat Actors Striking Back with Financial Malware

In a recent blog, Cyble Research Labs (CRL) has highlighted an International Bank Account Number (IBAN) Clipper Malware after identifying a Threat Actor (TA) on a cybercrime forum offering monthly subscription-based services of clipper malware targeting Windows operating systems.

IBAN is an internationally agreed system developed to identify an overseas bank account. A Clipper malware targets a victim’s clipboard to perform unauthorized swapping operations by replacing the victim’s data with the TA’s data for the purpose of carrying out financial theft.

Most popular clippers target crypto transactions where the malware swaps the victim’s crypto address with the TA’s crypto address and tricks unsuspecting victims into sending money to the TA’s crypto address. Similarly, IBAN clipper targets bank account numbers. The figure below shows the post made by the TA on a cybercrime forum.

Figure 1 Cyble IBAN Clipper Malware Crypto Cryptocurrency Financial Theft Cybercrime Post on cybercrime forum — Figure 1 – Post on cybercrime forum

Technical Analysis

Sample SHA256: cf12c493db3e63cc7556abf37c4b72dc0b9f2d0673325e4908248621102c9a66

The IBAN Clipper sample analyzed in this blog is a 32-bit .NET-based binary targeting Windows-based operating systems.

Figure 2 Cyble IBAN Clipper Malware Crypto Cryptocurrency Financial Theft Cybercrime Payload details — Figure 2 – Payload details

The clipper imports the User32 library and uses the AddClipboardFormatListener method to monitor changes in the victim’s clipboard.

Figure 3 Cyble IBAN Clipper Malware Crypto Cryptocurrency Financial Theft Cybercrime Imports User32.dll — Figure 3 – Importing ‘User32.dll’

IBAN Clipper uses a multithreading approach for rapid clipper operation. It then extracts the clipboard data using the Clipboard.GetText() method, which retrieves text data from the clipboard in ASCII Text or UnicodeText format, depending on the operating system.

Figure 4 Cyble IBAN Clipper Malware Crypto Cryptocurrency Financial Theft Cybercrime Uses multithreading — Figure 4 – Uses multithreading

The clipper uses the below regular expression for identifying the IBAN in the victim’ clipboard:

b(ES[0-9])[0-9]{20,26}b

If an IBAN is identified in the clipboard, the clipper will replace it with the number specified by the TA. The clipper malware fetches the IBAN details from a text file hosted on the TA’s remote server.

Figure 5 Cyble IBAN Clipper Malware Crypto Cryptocurrency Financial Theft Cybercrime Retrieves TAs IBAN from remote servers — Figure 5 – Retrieves TA’s IBAN from remote servers

Persistence

Our research indicated that the clipper identifies it’s executable path using the getexecutingassembly().location method and copies itself in the Window’s startup folder causing it to automatically execute when the user logs in.

The clipper adds the following registry values under the key.

“SOFTWAREMicrosoftWindowsCurrentVersionRun”:

Microsoft Store
Skype Web

The “Microsoft Store” Value contains the path of clipper binary from where it was executed initially, and “Skype Web” Value contains the path of startup folder where the clipper binary was copied in the above step. Adding entries to the “Run” key enables the operating system to execute these clippers automatically when the system restarts.

The figure below shows the new values added to the registry key for persistence.

Figure 7 Cyble IBAN Clipper Malware Crypto Cryptocurrency Financial Theft Cybercrime Adds fake values in registry key — Figure 7 – Values added to registry key to establish persistence

Conclusion

While CRL continues its active monitoring for emerging threats, we observe multiple TAs developing more malware to carry out financial cybercrime. The IBAN Clipper malware is successful in its attempts to carry out fraudulent financial transactions only if the victim copies the bank account number during a transaction. The TA has also incorporated a feature of retrieving the bank account number from remote sites, making this clipper more sophisticated, stealthy, and capable, further enabling the TA to update the bank account number without altering the clipper payload.

Our Recommendations:

Avoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as YouTube, torrent sites, etc., often contains such malware.
Use strong passwords and enforce multi-factor authentication wherever possible.
Turn on the automatic software update feature on your computer, mobile, and other connected devices.
Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
Refrain from opening untrusted links and email attachments without first verifying their authenticity.
Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
Monitor the beacon on the network level to block data exfiltration by malware or TAs.
Enable Data Loss Prevention (DLP) Solutions on employees’ systems.

MITRE ATT&CK® Techniques 

Tactic	Technique ID	Technique Name
Execution	T1204	User Execution
Persistence	T1547.001	Registry Run Keys / Startup Folder
Credential Access	T1555 T1539 T1552 T1528	Credentials from Password Stores Steal Web Session Cookie Unsecured Credentials Steal Application Access Token
Collection	T1115	Clipboard Data
Command and Control	T1071	Application Layer Protocol
Impact	T1565.002	Data Manipulation: Transmitted Data Manipulation

Indicators of Compromise (IoCs):  

Indicators	Indicator type	Description
6a977e7f362dc2d3ee994f91782624d1 ea5959210ba650b918deffd39874eba7b485ac75 cf12c493db3e63cc7556abf37c4b72dc0b9f2d0673325e4908248621102c9a66	MD5 SHA1 SHA256	Payload

Source: https://blog.cyble.com/2022/08/22/dissecting-iban-clipper/

Tags: WINDOWS, TOOL, PHISHING, MONITOR, DLP, VIRUS, EMAIL, PAYLOAD

Cyble – Dissecting IBAN Clipper