Skip to main content

Threat actors are always good at modifying some good old attacking techniques and hunting for their prey. Replacing clipboard content is a type of attack that has been in use for over a decade, still, some techniques are very relevant even today.

In this article, we are looking into one such attack. We will walk you through what is clipboard injector malware and how does clipboard injector malware targets crypto users.

What is Clipboard Injector Malware?

The clipboard injector malware is designed to interact with Windows clipboard viewers, enabling it to detect any changes made to the clipboard data. It then uses a set of predefined regular expressions to search for specific text patterns, which are replaced with randomly selected addresses from a pre-existing list.The clipboard injector malware is designed to interact with Windows clipboard viewers, enabling it to detect any changes made to the clipboard data. It then uses a set of predefined regular expressions to search for specific text patterns, which are replaced with randomly selected addresses from a pre-existing list.

These attacks are dated back to 2013 when banking trojans were used to replace account numbers copied in the clipboard, but they had some limitations. However, Cryptocurrency wallets, which are globally accessible and not tied to a specific provider, have become a preferred target for crypto thieves due to their high potential for financial gain from the increased value of cryptocurrencies.These attacks are dated back to 2013 when banking trojans were used to replace account numbers copied in the clipboard but they had some limitations. However, Cryptocurrency wallets, which are globally accessible and not tied to a specific provider, have become a preferred target for crypto thieves due to their high potential for financial gain from the increased value of cryptocurrencies.

Why Clipboard Injector Malware is dangerous?

The attack is pretty simple, but what creates the damage? This malware can do irreversible money transfers, and for a normal user, it is so difficult to detect. Unlike traditional malware, which has a communication channel, the clipboard injector malware doesn’t need one, which makes it more dangerous and harmfulThe attack is pretty simple, but what creates the damage? This malware can do irreversible money transfers, and for a normal user, it is so difficult to detect. Unlike traditional malware, which has a communication channel, the clipboard injector malware doesn’t need one, which makes it more dangerous and harmful.

Clipboard injectors can stay dormant for a longer period of time, showing no presence or activity and attack you in the least expected time by replacing the crypto wallet address. Again, unlike traditional malware, which uses bad infrastructure (blacklisted IP, domain, etc.) Clipboard injectors execute their malicious payload only when a specific external condition is satisfied, which involves the presence of a certain data format in the clipboard.

How Does Clipboard Injector Malware Targets Crypto Users?

Recently, malware has been targeting Tor Browser, which is used to access the dark web through the Tor network. This coincides with Russia’s ban on the Tor Project’s website, despite having over 300,000 daily Tor users and being the second-largest country by the number of Tor users in 2021.Recently, malware has been targeting Tor Browser, which is used to access the dark web through the Tor network. This coincides with Russia’s ban on the Tor Project’s website, despite having over 300,000 daily Tor users and being the second-largest country by the number of Tor users in 2021.

 

See Also How to Create a Template for RDP Certificate in a Local Certificate Authority?

This news helped malware authors to create trojanized app bundles of Tor and was distributed to the Russian-speaking community. Starting from December 2021, some versions of torbrowser_ru.exe were discovered, but it wasn’t until August 2022 that a significant increase in the distribution of these malicious files was seen. They were disguised as Tor Browser installers with Russian language packs included in the name.

Tor Browser Trojan

Tor Browser Trojan (Source: Kaspersky)

This news helped malware authors to create trojanized app bundles of Tor and was distributed to the Russian-speaking community. Starting from December 2021, some versions of torbrowser_ru.exe were discovered, but it wasn’t until August 2022 that a significant increase in the distribution of these malicious files was seen. They were disguised as Tor Browser installers with Russian language packs included in the name.

Tor Browser Trojan

Tor Browser Trojan (Source: Kaspersky)

When the user downloads the Tor browser from a third party it initially appears and starts as torbrowser.exe, however, the file does not have any digital signature and will be just a RAR SFX (self-extracting executable) archive.

The contents of the download are:

  • The original Tor application
  • A random password-protected RAR archive
  • A RAR extraction tool with a random name and command based

To avoid detection by antivirus solutions that rely on static signatures, the SFX employs a tactic of launching the original torbrowser.exe while simultaneously executing the RAR extraction tool on the hidden password-protected RAR archive. Although password protection does not offer protection against sandbox-based detection, it serves to evade static signature detection.

The trojanized Tor executable will decide the password and the destination where the extraction happens. After being placed in a subdirectory within the current user’s AppData directory, the executable file initiates a new process and proceeds to register itself within the system’s autostart feature.

Most of the time, the app will disguise itself as an icon with the original (uTorrent) icon.

Technical details

The installer’s payload is a clipboard-injector malware that is passive and doesn’t communicate. The Enigma packer v4.0, a commercial software protector, protects the malware, which further complicates the analysis.

The Kaspersky researchers found some samples of malware and dis the analysis. The payload of this malware is a simple one. The malware becomes part of the Windows clipboard viewer chain and receives notifications whenever the clipboard data changes. If the clipboard holds text, it examines the content using predefined regular expressions. If it finds a match, it substitutes the matched content with a random address from a pre-configured list.

image

Malware data hexdump with regular expressions and wallet IDs (Source: Kaspersky)

Some regex observed by Kaspersky researchers are:

  • bc1[a-zA-HJ-NP-Z0-9]{35,99}($|s) – Bitcoin
  • (^|s)[3]{1}[a-km-zA-HJ-NP-Z1-9]{25,34}($|s) – Litecoin/Bitcoin Legacy
  • (^|s)D[5-9A-HJ-NP-U]{1}[1-9A-HJ-NP-Za-km-z]{32}($|s) – Dogecoin
  • (^|s)0x[A-Fa-f0-9]{40}($|s) – ERC-20 (i.e. Ethereum, Tether, Ripple, etc)
  • (^|s)[LM]{1}[a-km-zA-HJ-NP-Z1-9]{25,34}($|s) – Litecoin Legacy
  • ((^|s)ltc1[a-zA-HJ-NP-Z0-9]{35,99}($|s) – Litecoin

The malware samples have a large number of potential Bitcoin replacement addresses, making it challenging to blacklist or trace them. Nonetheless, all these addresses were gathered and will be provided as an attachment to this blog for other researchers and investigators to use in their efforts to locate stolen Bitcoin.

A hotkey combination of (Ctrl+Alt+F10) will allow the malware to stop operating and disable itself.

 

See Also How to Mitigate Windows Server 2022 Boot Issues Upon Patching February’s Security Updates?

Impact of clipboard injector malware

Although most of the approximately 16,000 detections occurred in Russia and Eastern Europe, the threat has also affected at least 52 countries globally.

Trend of Tor Browser

After unpacking the malware from enigma, the researchers estimated that below is the total loss caused by this single malware.

Trend of Amount Stolen using clipboard injector malware

The trend of Amount Stolen using clipboard injector malware (Source: Kaspersky)

MITRE ATT&CK Enterprise Identifier

  • T1027.002 (Software Packing)
  • T1115 (Clipboard Data)
  • T1204.002 (Malicious File)
  • T1496 (Resource Hijacking)
  • T1557 (Adversary-in-the-Middle)
  • T1608.006 (SEO Poisoning)

IOC

  • 0b2ca1c5439fcac80cb7dd70895f41a6
  • 0a14b25bff0758cdf7472ac3ac7e21a3
  • cbb6f4a740078213abc45c27a2ab9d1c
  • 0be06631151bbe6528e4e2ad21452a17
  • 1ce04300e880fd12260be4d10705c34f
  • 0533fc0c282dd534eb8e32c3ef07fba4
  • ad9460e0a58f0c5638a23bb2a78d5ad7
  • a2b8c62fe1b2191485439dd2c2d9a7b5
  • a7961c947cf360bbca2517ea4c80ee11
  • 036b054c9b4f4ab33da63865d69426ff
  • 53d35403fa4aa184d77a4e5d6f1eb060
  • 0c4144a9403419f7b04f20be0a53d558
  • 0d571a2c4ae69672a9692275e325b943
  • 05cedc35de2c003f2b76fe38fa62faa5
  • 0251fd9c0cd98eb9d35768bb82b57590
  • c137495da5456ec0689bbbcca1f9855e
  • 037c5bacac12ac4fec07652e25cd5f07
  • 89c86c391bf3275790b465232c37ddf5
  • eaf40e175c15c9c9ab3e170859bdef64
  • 0d09d13cd019cbebf0d8bfff22bf6185

Conclusion

Always download and install software from reliable and trusted vendors. Also, make sure that your system has an antivirus or EDR solution installed.

There is a notepad trick that will help us to detect if our system is compromised or not. Enter or copy the “Bitcoin address” (bc1heymalwarehowaboutyoureplacethisaddress) in Notepad and then press Ctrl+C and Ctrl+V.

If the address changes, the system is likely compromised and may be dangerous to use. It is recommended to scan the system for malware using security software. If you want complete assurance, a compromised system should not be trusted until it is rebuilt.

In this article, we have covered what clipboard injector malware is and how clipboard injector malware targets users. I hope this content will help in detecting the presence of malware in your system.

Leave a Reply