Security researchers discovered a malicious operation that made at least $1.7 million from cryptocurrency mining and clipboard hijacking. Unearthed by Symantec’s Threat Hunter Team, the malware in the operation, ClipMiner, shares lots of similarities with the KryptoCibule trojan, and it may be a copycat.
ClipMiner in Detail
Like most trojans, ClipMiner is also spread via trojanized downloads of pirated or cracked software. The miner comes in the form of a self-extracting WinRAR archive, dropping and executing a downloader. The latter arrives as a packed portable executable DLL with the CPL file extension, even though it doesn’t follow the CPL format. The file connects to the Tor network and downloads the miner’s components.
The miner’s capabilities are focused on mining cryptocurrency, and modifying the clipboard’s content in an attempt to redirect users’ crypto transactions. “On each clipboard update, it scans the clipboard content for wallet addresses, recognizing address formats used by at least a dozen different cryptocurrencies,” the report said. These addresses are then replaced with those of the threat operators, and for most there are multiple replacements to choose from.
ClipMiner then chooses the address that matches the prefix of the address to be replaced, and this way it is highly unlikely that the victim would notice the manipulation. According to the findings, the malware uses 4,375 unique wallet addresses, of which 3,677 are used for just three different formats of Bitcoin addresses.
Analyzing just Bitcoin and Ethereum wallet addresses, the researchers found that they contained approximately 34.3 Bitcoin and 129.9 Ethereum at the time of writing. Some funds have been transferred to cryptocurrency tumblers (mixing services), which mix potentially identifiable funds with others with the idea to obscure the trail back to the fund’s original source. “If we include the funds transferred out to these services, the malware operators have potentially made at least $1.7 million from clipboard hijacking alone,” the report noted.
The Evolution of Crypto Theft
On a different note, it is curious to mention that cybercriminals have been adopting some new techniques in their cryptomining operations. Wash trading, for instance, is a practice that involves criminals executing a transaction in which the seller is on both sides of the trade, creating a misleading picture of an asset’s value and liquidity.
Other tricks include the following:
- Flash loan attacks – exchange members can borrow and then quickly repay funds without any collateral by abusing the smart contract features to pump up exchange rates.
- Rug pulls – developers of a new token quickly abandon their project and disappear with the invested funds.
- Chain hopping – moving funds from one kind of crypto to a series of others in an attempt to obfuscate their transactions.