New Clipper malware variants have emerged, specifically designed to target individuals engaged in cryptocurrency transactions.
During these transactions, it was noted that these variants were successfully replacing users’ credentials with the wallet address of scammers, allowing them to illicitly abscond with the funds being transferred.
The clipper malware variants use the clipboard to copy the data pasted on it. Users are urged not to leave copied crypto wallet credentials including the wallet address on the clipboard.
Details about the Clipper malware variants
Cyble Research and Intelligence Labs (CRIL) found several Clipper malware variants advertised on the Telegram channel of cyber criminals.
These variants included Atlas clipper, Keyzetsu clipper, and KWN clipper among others. Users are likely lured into this campaign through phishing emails.
Atlas clipper malware variant
Atlas clipper had the capacity to store seven crypto wallet addresses and was offered for a reduced cost of $50 from $100 charged previously.
It takes commands from its command and control server on a Telegram channel. The advertisement for this clipper variant read that it can delete itself if needed or after the fraudulent cryptocurrency transaction was completed.
Researchers analyzed the below sample hash (SHA256) – dabc19aba47fb36756dde3263a69f730c01c2cd3ac149649ae0440d48d7ee4cf. It was a 64-bit binary executable complied in the Go programming language.
The clipper variants execute the following commands to perform certain functions.
- OpClipboard() function – To initiate the clipper operation and access the clipboard data.
- GetClipboardFormatAvailable() function – To retrieve clipboard value and check the format of the cryptocurrency wallet address.
- SetClipboardData() function – After finding positive results from the check, the clipper malware replaces the value in the clipboard with a new value.
- CloseClipboard() function – To release the clipboard after the malicious replacement of the clipboard value.
Following the above steps, the Atlas clipper variant deletes the executable file but, continues to stay on the system for further fraudulent transactions desired by the criminals behind it.
In this transaction, the targeted user’s information is sent to the Telegram bot by the Clipper malware. Besides the wallet address, the malware steals the username, hardware ID (HWID), and installation path among other data.
Keyzetsu Clipper malware variant
The Keyzetsu variant of the Clipper malware can store over 12 cryptocurrency wallet addresses and also relies on a Telegram channel for its C2 server. Its 32-bit executable was compiled in .NET and obfuscated.
The Keyzetsu variant was found to sleep in the beginning using the Sleep function. Researchers analyzed that this was to evade detection.
Keyzetsu looks for similar malware variants in the system through a mutex called “2ILdX2JpexVZieT6mPv2i6Jp3HNFPlby.” This helps run only a single instance of the malware on a system.
This variant also looks for clipboard data like the Atlas Clipper malware. Here, the cybercriminal’s wallet address was encrypted with a Base64 encoding and Gzip compression and hardcoded within the malware file.
KWN Clipper malware variant
The has 7bd03cdf8339f0305d41cad6d3156610517160a116ffd8a4f77e91f56f43ec2e was chosen by researchers to understand the workings of the KWN Clipper malware variant.
It was a 64-bit executable file in the Go language. This variant also accessed clipboard information to perform fraudulent transactions.
Mitigation efforts and precautions to prevent cyber attacks via Clipper malware variants
Researchers noted that the Clipper malware functions in tandem with other malware including Coinminer, stealers, and loaders.
CRIL researchers mentioned the following points to maintain safety from similar malware attacks –
- Check the authenticity of the source before submitting cryptocurrency wallet data.
- Change passwords regularly and use a strong password not shorter than 12 characters.
- Opt for high-security login processes including OTPs and multi-factor authentication.
- Keep the software update option to update software automatically.
- Use credible antivirus software and maintain regular checkups to detect and remove malware promptly.
