Security researchers uncover a new clipper malware campaign targeting Portuguese speakers.
Meet CryptoClippy
Palo Alto’s Unit 42 team recently uncovered a malicious campaign that is targeting Portuguese speakers with a type of malware known as a cryptocurrency clipper (clipper malware). This clipper, CryptoClippy, monitors users’ clipboards and replaces any legitimate cryptocurrency wallet address with the threat actor’s, resulting in victims unwittingly sending their cryptocurrency to the adversary.
Victims have been identified from the manufacturing, IT services, and real estate industries, and likely include personal wallet addresses of those using their work machines, the report noted. To deliver the malware, threat actors employed Google Ads and traffic distribution systems to redirect users to malicious domains that imitate the legitimate WhatsApp Web application. Upon being directed to these domains, victims are tricked into downloading malicious .zip or .exe files that contain the final payload.
How Does a CryptoClippy Attack Happen?
CryptoClippy is spread through SEO poisoning, in which a person searching for “WhatsApp Web” is directed to a threat actor-controlled domain. Once there, victims are asked to download a .zip file with a .lnk file containing malicious scripts. These scripts then initiate a chain of events that installs the clipper malware onto their system. The malware monitors the victim’s clipboard activity for Bitcoin transactions, and if it finds one, it replaces the valid crypto wallet address with one controlled by the threat actor.
What Capabilities Does CryptoClippy Have?
This variant of CryptoClippy is equipped with a range of capabilities that can help the malicious actor pursue their cryptocurrency stealing goals. These include setting up a Remote Desktop Protocol (RDP) backdoor via an RC4-encrypted PowerShell script that incorporates Windows Management Instrumentation (WMI), terminal service registry manipulation, icacls, net commands and log clearing. This allows the attacker to maintain access beyond the in-memory payload.
Furthermore, this version is tailored to target Bitcoin and Ethereum wallets, which is unsurprising due to the rising popularity of digital currencies in Latin American countries. At the time of the report, the actor-controlled wallets have registered recent activity: the Bitcoin address has received 0.039954 BTC (equivalent to $982.83) from four separate transactions and the Ethereum address has received 0.110915556631181819 ETH (approx. $186.32) from three different ETH addresses, Unit 42’s report said.
The attackers employed a multi-stage attack to try to bypass signature- and heuristic-based security systems. This approach included obfuscation techniques such as obfuscated PowerShell scripts and encoded payloads, thereby explaining the low detection rate of this malware. In fact, VirusTotal only shows a few vendors detecting this malware.
Clipper Malware Attacks on the Rise
CryptoClippy is not the only new instance of clipper malware discovered recently in the wild.
Another report by Kaspersky Lab uncovered a new cryptocurrency clipper trojan which had been embedded in trojanized installers of the TOR browser. This malicious software had been used to target cryptocurrencies such as Bitcoin, Ethereum, Litecoin, Dogecoin, and Monero, resulting in over 15,000 attacks across 52 countries. Russia has been the most impacted, due to the blocking of the Tor Browser, while the United States, Germany, Uzbekistan, Belarus, China, the Netherlands, the United Kingdom, and France make up the remaining top 10 countries affected.
It is estimated that users have lost at least US$400,000 as a result of these attacks. The figure is likely even much higher due to unreported attacks that do not involve the Tor Browser.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: