Table of Contents
  • Home
  • /
  • Blog
  • /
  • What is a Clipboard Injector Malware? And, How Does Clipboard Injector Malware Targets Crypto Users?
April 18, 2023
|
8m

What is a Clipboard Injector Malware? And, How Does Clipboard Injector Malware Targets Crypto Users?


What Is A Clipboard Injector Malware And How Does Clipboard Injector Malware Targets Crypto Users

Threat actors are always good at modifying some good old attacking techniques and hunting for their prey. Replacing clipboard content is a type of attack that has been in use for over a decade, still, some techniques are very relevant even today.

In this article, we are looking into one such attack. We will walk you through what is clipboard injector malware and how does clipboard injector malware targets crypto users.

What is Clipboard Injector Malware?

The clipboard injector malware is designed to interact with Windows clipboard viewers, enabling it to detect any changes made to the clipboard data. It then uses a set of predefined regular expressions to search for specific text patterns, which are replaced with randomly selected addresses from a pre-existing list.The clipboard injector malware is designed to interact with Windows clipboard viewers, enabling it to detect any changes made to the clipboard data. It then uses a set of predefined regular expressions to search for specific text patterns, which are replaced with randomly selected addresses from a pre-existing list.

These attacks are dated back to 2013 when banking trojans were used to replace account numbers copied in the clipboard, but they had some limitations. However, Cryptocurrency wallets, which are globally accessible and not tied to a specific provider, have become a preferred target for crypto thieves due to their high potential for financial gain from the increased value of cryptocurrencies.These attacks are dated back to 2013 when banking trojans were used to replace account numbers copied in the clipboard but they had some limitations. However, Cryptocurrency wallets, which are globally accessible and not tied to a specific provider, have become a preferred target for crypto thieves due to their high potential for financial gain from the increased value of cryptocurrencies.

Why Clipboard Injector Malware is dangerous?

The attack is pretty simple, but what creates the damage? This malware can do irreversible money transfers, and for a normal user, it is so difficult to detect. Unlike traditional malware, which has a communication channel, the clipboard injector malware doesnt need one, which makes it more dangerous and harmfulThe attack is pretty simple, but what creates the damage? This malware can do irreversible money transfers, and for a normal user, it is so difficult to detect. Unlike traditional malware, which has a communication channel, the clipboard injector malware doesnt need one, which makes it more dangerous and harmful.

Clipboard injectors can stay dormant for a longer period of time, showing no presence or activity and attack you in the least expected time by replacing the crypto wallet address. Again, unlike traditional malware, which uses bad infrastructure (blacklisted IP, domain, etc.) Clipboard injectors execute their malicious payload only when a specific external condition is satisfied, which involves the presence of a certain data format in the clipboard.

How Does Clipboard Injector Malware Targets Crypto Users?

Recently, malware has been targeting Tor Browser, which is used to access the dark web through the Tor network. This coincides with Russias ban on the Tor Projects website, despite having over 300,000 daily Tor users and being the second-largest country by the number of Tor users in 2021.Recently, malware has been targeting Tor Browser, which is used to access the dark web through the Tor network. This coincides with Russias ban on the Tor Projects website, despite having over 300,000 daily Tor users and being the second-largest country by the number of Tor users in 2021.

This news helped malware authors to create trojanized app bundles of Tor and was distributed to the Russian-speaking community. Starting from December 2021, some versions of torbrowser_ru.exe were discovered, but it wasnt until August 2022 that a significant increase in the distribution of these malicious files was seen. They were disguised as Tor Browser installers with Russian language packs included in the name.

Tor Browser Trojan (Source: Kaspersky)

This news helped malware authors to create trojanized app bundles of Tor and was distributed to the Russian-speaking community. Starting from December 2021, some versions of torbrowser_ru.exe were discovered, but it wasnt until August 2022 that a significant increase in the distribution of these malicious files was seen. They were disguised as Tor Browser installers with Russian language packs included in the name.

Tor Browser Trojan (Source: Kaspersky)

When the user downloads the Tor browser from a third party it initially appears and starts as torbrowser.exe, however, the file does not have any digital signature and will be just a RAR SFX (self-extracting executable) archive.

The contents of the download are:

  • The original Tor application

  • A random password-protected RAR archive

  • A RAR extraction tool with a random name and command based

To avoid detection by antivirus solutions that rely on static signatures, the SFX employs a tactic of launching the original torbrowser.exe while simultaneously executing the RAR extraction tool on the hidden password-protected RAR archive. Although password protection does not offer protection against sandbox-based detection, it serves to evade static signature detection.

The trojanized Tor executable will decide the password and the destination where the extraction happens. After being placed in a subdirectory within the current users AppData directory, the executable file initiates a new process and proceeds to register itself within the systems autostart feature.

Most of the time, the app will disguise itself as an icon with the original (uTorrent) icon.

Technical details

The installers payload is a clipboard-injector malware that is passive and doesnt communicate. The Enigma packer v4.0, a commercial software protector, protects the malware, which further complicates the analysis.

The Kaspersky researchers found some samples of malware and dis the analysis. The payload of this malware is a simple one. The malware becomes part of the Windows clipboard viewer chain and receives notifications whenever the clipboard data changes. If the clipboard holds text, it examines the content using predefined regular expressions. If it finds a match, it substitutes the matched content with a random address from a pre-configured list.

Malware data hexdump with regular expressions and wallet IDs (Source: Kaspersky)

Some regex observed by Kaspersky researchers are:

  • bc1[a-zA-HJ-NP-Z0-9]{35,99}($|\s) Bitcoin

  • (^|\s)[3]{1}[a-km-zA-HJ-NP-Z1-9]{25,34}($|\s) Litecoin/Bitcoin Legacy

  • (^|\s)D[5-9A-HJ-NP-U]{1}[1-9A-HJ-NP-Za-km-z]{32}($|\s) Dogecoin

  • (^|\s)0x[A-Fa-f0-9]{40}($|\s) ERC-20 (i.e. Ethereum, Tether, Ripple, etc)

  • (^|\s)[LM]{1}[a-km-zA-HJ-NP-Z1-9]{25,34}($|\s) Litecoin Legacy

  • ((^|\s)ltc1[a-zA-HJ-NP-Z0-9]{35,99}($|\s) Litecoin

The malware samples have a large number of potential Bitcoin replacement addresses, making it challenging to blacklist or trace them. Nonetheless, all these addresses were gathered and will be provided as an attachment to this blog for other researchers and investigators to use in their efforts to locate stolen Bitcoin.

A hotkey combination of (Ctrl+Alt+F10) will allow the malware to stop operating and disable itself.

Impact of clipboard injector malware

Although most of the approximately 16,000 detections occurred in Russia and Eastern Europe, the threat has also affected at least 52 countries globally.

After unpacking the malware from enigma, the researchers estimated that below is the total loss caused by this single malware.

The trend of Amount Stolen using clipboard injector malware (Source: Kaspersky)

MITRE ATT&CK Enterprise Identifier

  • T1027.002 (Software Packing)

  • T1115 (Clipboard Data)

  • T1204.002 (Malicious File)

  • T1496 (Resource Hijacking)

  • T1557 (Adversary-in-the-Middle)

  • T1608.006 (SEO Poisoning)

IOC

  • 0b2ca1c5439fcac80cb7dd70895f41a6

  • 0a14b25bff0758cdf7472ac3ac7e21a3

  • cbb6f4a740078213abc45c27a2ab9d1c

  • 0be06631151bbe6528e4e2ad21452a17

  • 1ce04300e880fd12260be4d10705c34f

  • 0533fc0c282dd534eb8e32c3ef07fba4

  • ad9460e0a58f0c5638a23bb2a78d5ad7

  • a2b8c62fe1b2191485439dd2c2d9a7b5

  • a7961c947cf360bbca2517ea4c80ee11

  • 036b054c9b4f4ab33da63865d69426ff

  • 53d35403fa4aa184d77a4e5d6f1eb060

  • 0c4144a9403419f7b04f20be0a53d558

  • 0d571a2c4ae69672a9692275e325b943

  • 05cedc35de2c003f2b76fe38fa62faa5

  • 0251fd9c0cd98eb9d35768bb82b57590

  • c137495da5456ec0689bbbcca1f9855e

  • 037c5bacac12ac4fec07652e25cd5f07

  • 89c86c391bf3275790b465232c37ddf5

  • eaf40e175c15c9c9ab3e170859bdef64

  • 0d09d13cd019cbebf0d8bfff22bf6185

Conclusion

Always download and install software from reliable and trusted vendors. Also, make sure that your system has an antivirus or EDR solution installed.

There is a notepad trick that will help us to detect if our system is compromised or not. Enter or copy the Bitcoin address (bc1heymalwarehowaboutyoureplacethisaddress) in Notepad and then press Ctrl+C and Ctrl+V.

If the address changes, the system is likely compromised and may be dangerous to use. It is recommended to scan the system for malware using security software. If you want complete assurance, a compromised system should not be trusted until it is rebuilt.

In this article, we have covered what clipboard injector malware is and how clipboard injector malware targets users. I hope this content will help in detecting the presence of malware in your system.

Please share this post if you find this interested. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.

Aroma Rose Reji

Aroma is a cybersecurity professional with more than four years of experience in the industry. She has a strong background in detecting and defending cyber-attacks and possesses multiple global certifications like eCTHPv2, CEH, and CTIA. She is a pet lover and, in her free time, enjoys spending time with her cat, cooking, and traveling. You can connect with her on LinkedIn.

Recently added

Application Security

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.

Tools

Featured

View All

Learn Something New with Free Email subscription

Subscribe

Subscribe