Threat actors are always good at modifying some good old attacking techniques and hunting for their prey. Replacing clipboard content is a type of attack that has been in use for over a decade, still, some techniques are very relevant even today.
In this article, we are looking into one such attack. We will walk you through what is clipboard injector malware and how does clipboard injector malware targets crypto users.
The clipboard injector malware is designed to interact with Windows clipboard viewers, enabling it to detect any changes made to the clipboard data. It then uses a set of predefined regular expressions to search for specific text patterns, which are replaced with randomly selected addresses from a pre-existing list.The clipboard injector malware is designed to interact with Windows clipboard viewers, enabling it to detect any changes made to the clipboard data. It then uses a set of predefined regular expressions to search for specific text patterns, which are replaced with randomly selected addresses from a pre-existing list.
These attacks are dated back to 2013 when banking trojans were used to replace account numbers copied in the clipboard, but they had some limitations. However, Cryptocurrency wallets, which are globally accessible and not tied to a specific provider, have become a preferred target for crypto thieves due to their high potential for financial gain from the increased value of cryptocurrencies.These attacks are dated back to 2013 when banking trojans were used to replace account numbers copied in the clipboard but they had some limitations. However, Cryptocurrency wallets, which are globally accessible and not tied to a specific provider, have become a preferred target for crypto thieves due to their high potential for financial gain from the increased value of cryptocurrencies.
The attack is pretty simple, but what creates the damage? This malware can do irreversible money transfers, and for a normal user, it is so difficult to detect. Unlike traditional malware, which has a communication channel, the clipboard injector malware doesn’t need one, which makes it more dangerous and harmfulThe attack is pretty simple, but what creates the damage? This malware can do irreversible money transfers, and for a normal user, it is so difficult to detect. Unlike traditional malware, which has a communication channel, the clipboard injector malware doesn’t need one, which makes it more dangerous and harmful.
Clipboard injectors can stay dormant for a longer period of time, showing no presence or activity and attack you in the least expected time by replacing the crypto wallet address. Again, unlike traditional malware, which uses bad infrastructure (blacklisted IP, domain, etc.) Clipboard injectors execute their malicious payload only when a specific external condition is satisfied, which involves the presence of a certain data format in the clipboard.
Recently, malware has been targeting Tor Browser, which is used to access the dark web through the Tor network. This coincides with Russia’s ban on the Tor Project’s website, despite having over 300,000 daily Tor users and being the second-largest country by the number of Tor users in 2021.Recently, malware has been targeting Tor Browser, which is used to access the dark web through the Tor network. This coincides with Russia’s ban on the Tor Project’s website, despite having over 300,000 daily Tor users and being the second-largest country by the number of Tor users in 2021.
This news helped malware authors to create trojanized app bundles of Tor and was distributed to the Russian-speaking community. Starting from December 2021, some versions of torbrowser_ru.exe were discovered, but it wasn’t until August 2022 that a significant increase in the distribution of these malicious files was seen. They were disguised as Tor Browser installers with Russian language packs included in the name.
Tor Browser Trojan (Source: Kaspersky)
This news helped malware authors to create trojanized app bundles of Tor and was distributed to the Russian-speaking community. Starting from December 2021, some versions of torbrowser_ru.exe were discovered, but it wasn’t until August 2022 that a significant increase in the distribution of these malicious files was seen. They were disguised as Tor Browser installers with Russian language packs included in the name.
Tor Browser Trojan (Source: Kaspersky)
When the user downloads the Tor browser from a third party it initially appears and starts as torbrowser.exe, however, the file does not have any digital signature and will be just a RAR SFX (self-extracting executable) archive.
The contents of the download are:
The original Tor application
A random password-protected RAR archive
A RAR extraction tool with a random name and command based
To avoid detection by antivirus solutions that rely on static signatures, the SFX employs a tactic of launching the original torbrowser.exe while simultaneously executing the RAR extraction tool on the hidden password-protected RAR archive. Although password protection does not offer protection against sandbox-based detection, it serves to evade static signature detection.
The trojanized Tor executable will decide the password and the destination where the extraction happens. After being placed in a subdirectory within the current user’s AppData directory, the executable file initiates a new process and proceeds to register itself within the system’s autostart feature.
Most of the time, the app will disguise itself as an icon with the original (uTorrent) icon.
The installer’s payload is a clipboard-injector malware that is passive and doesn’t communicate. The Enigma packer v4.0, a commercial software protector, protects the malware, which further complicates the analysis.
The Kaspersky researchers found some samples of malware and dis the analysis. The payload of this malware is a simple one. The malware becomes part of the Windows clipboard viewer chain and receives notifications whenever the clipboard data changes. If the clipboard holds text, it examines the content using predefined regular expressions. If it finds a match, it substitutes the matched content with a random address from a pre-configured list.
Malware data hexdump with regular expressions and wallet IDs (Source: Kaspersky)
Some regex observed by Kaspersky researchers are:
bc1[a-zA-HJ-NP-Z0-9]{35,99}($|\s) – Bitcoin
(^|\s)[3]{1}[a-km-zA-HJ-NP-Z1-9]{25,34}($|\s) – Litecoin/Bitcoin Legacy
(^|\s)D[5-9A-HJ-NP-U]{1}[1-9A-HJ-NP-Za-km-z]{32}($|\s) – Dogecoin
(^|\s)0x[A-Fa-f0-9]{40}($|\s) – ERC-20 (i.e. Ethereum, Tether, Ripple, etc)
(^|\s)[LM]{1}[a-km-zA-HJ-NP-Z1-9]{25,34}($|\s) – Litecoin Legacy
((^|\s)ltc1[a-zA-HJ-NP-Z0-9]{35,99}($|\s) – Litecoin
The malware samples have a large number of potential Bitcoin replacement addresses, making it challenging to blacklist or trace them. Nonetheless, all these addresses were gathered and will be provided as an attachment to this blog for other researchers and investigators to use in their efforts to locate stolen Bitcoin.
A hotkey combination of (Ctrl+Alt+F10) will allow the malware to stop operating and disable itself.
Although most of the approximately 16,000 detections occurred in Russia and Eastern Europe, the threat has also affected at least 52 countries globally.
After unpacking the malware from enigma, the researchers estimated that below is the total loss caused by this single malware.
The trend of Amount Stolen using clipboard injector malware (Source: Kaspersky)
T1027.002 (Software Packing)
T1115 (Clipboard Data)
T1204.002 (Malicious File)
T1496 (Resource Hijacking)
T1557 (Adversary-in-the-Middle)
T1608.006 (SEO Poisoning)
0b2ca1c5439fcac80cb7dd70895f41a6
0a14b25bff0758cdf7472ac3ac7e21a3
cbb6f4a740078213abc45c27a2ab9d1c
0be06631151bbe6528e4e2ad21452a17
1ce04300e880fd12260be4d10705c34f
0533fc0c282dd534eb8e32c3ef07fba4
ad9460e0a58f0c5638a23bb2a78d5ad7
a2b8c62fe1b2191485439dd2c2d9a7b5
a7961c947cf360bbca2517ea4c80ee11
036b054c9b4f4ab33da63865d69426ff
53d35403fa4aa184d77a4e5d6f1eb060
0c4144a9403419f7b04f20be0a53d558
0d571a2c4ae69672a9692275e325b943
05cedc35de2c003f2b76fe38fa62faa5
0251fd9c0cd98eb9d35768bb82b57590
c137495da5456ec0689bbbcca1f9855e
037c5bacac12ac4fec07652e25cd5f07
89c86c391bf3275790b465232c37ddf5
eaf40e175c15c9c9ab3e170859bdef64
0d09d13cd019cbebf0d8bfff22bf6185
Always download and install software from reliable and trusted vendors. Also, make sure that your system has an antivirus or EDR solution installed.
There is a notepad trick that will help us to detect if our system is compromised or not. Enter or copy the “Bitcoin address” (bc1heymalwarehowaboutyoureplacethisaddress) in Notepad and then press Ctrl+C and Ctrl+V.
If the address changes, the system is likely compromised and may be dangerous to use. It is recommended to scan the system for malware using security software. If you want complete assurance, a compromised system should not be trusted until it is rebuilt.
In this article, we have covered what clipboard injector malware is and how clipboard injector malware targets users. I hope this content will help in detecting the presence of malware in your system.
Please share this post if you find this interested. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.
You may also like these articles:
What is ViperSoftX Malware? How to Protect from ViperSoftX Malware?
What Lookout Says About CryptoChameleon, A New Phishing Kit Targeting Cryptocurrency Users?
What is Fileless Malware? How to Protect Against Fileless Malware?
A Detailed Understanding of What Exactly Cryptocurrency Is and How Does It Work
Aroma is a cybersecurity professional with more than four years of experience in the industry. She has a strong background in detecting and defending cyber-attacks and possesses multiple global certifications like eCTHPv2, CEH, and CTIA. She is a pet lover and, in her free time, enjoys spending time with her cat, cooking, and traveling. You can connect with her on LinkedIn.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.