Cyble-IBAN-Clipper-Malware-Crypto-Cryptocurrency-Financial Theft-Cybercrime-Banking

Dissecting IBAN Clipper

Threat Actors Striking Back with Financial Malware

In a recent blog, Cyble Research Labs (CRL) has highlighted an International Bank Account Number (IBAN) Clipper Malware after identifying a Threat Actor (TA) on a cybercrime forum offering monthly subscription-based services of clipper malware targeting Windows operating systems.

IBAN is an internationally agreed system developed to identify an overseas bank account. A Clipper malware targets a victim’s clipboard to perform unauthorized swapping operations by replacing the victim’s data with the TA’s data for the purpose of carrying out financial theft.

Most popular clippers target crypto transactions where the malware swaps the victim’s crypto address with the TA’s crypto address and tricks unsuspecting victims into sending money to the TA’s crypto address. Similarly, IBAN clipper targets bank account numbers. The figure below shows the post made by the TA on a cybercrime forum.

Figure 1 – Post on cybercrime forum

Technical Analysis

Sample SHA256: cf12c493db3e63cc7556abf37c4b72dc0b9f2d0673325e4908248621102c9a66

The IBAN Clipper sample analyzed in this blog is a 32-bit .NET-based binary targeting Windows-based operating systems.

Figure 2 – Payload details

The clipper imports the User32 library and uses the AddClipboardFormatListener method to monitor changes in the victim’s clipboard.

Figure 3 – Importing ‘User32.dll’

IBAN Clipper uses a multithreading approach for rapid clipper operation. It then extracts the clipboard data using the Clipboard.GetText() method, which retrieves text data from the clipboard in ASCII Text or UnicodeText format, depending on the operating system.

Figure 4 – Uses multithreading

The clipper uses the below regular expression for identifying the IBAN in the victim’ clipboard:

  • \\b(ES[0-9])[0-9]{20,26}\\b

If an IBAN is identified in the clipboard, the clipper will replace it with the number specified by the TA. The clipper malware fetches the IBAN details from a text file hosted on the TA’s remote server.

Figure 5 – Retrieves TA’s IBAN from remote servers

Persistence

Our research indicated that the clipper identifies it’s executable path using the getexecutingassembly().location method and copies itself in the Window’s startup folder causing it to automatically execute when the user logs in.

Figure 6 – Persistance of IBAN Clipper malware

The clipper adds the following registry values under the key.

SOFTWARE\Microsoft\Windows\CurrentVersion\Run”:

  • Microsoft Store
  • Skype Web

The “Microsoft Store” Value contains the path of clipper binary from where it was executed initially, and “Skype Web” Value contains the path of startup folder where the clipper binary was copied in the above step. Adding entries to the “Run” key enables the operating system to execute these clippers automatically when the system restarts.

The figure below shows the new values added to the registry key for persistence.

Figure 7 – Values added to registry key to establish persistence

Conclusion

While CRL continues its active monitoring for emerging threats, we observe multiple TAs developing more malware to carry out financial cybercrime. The IBAN Clipper malware is successful in its attempts to carry out fraudulent financial transactions only if the victim copies the bank account number during a transaction. The TA has also incorporated a feature of retrieving the bank account number from remote sites, making this clipper more sophisticated, stealthy, and capable, further enabling the TA to update the bank account number without altering the clipper payload.

Our Recommendations: 

  • Avoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as YouTube, torrent sites, etc., often contains such malware. 
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices. 
  • Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile. 
  • Refrain from opening untrusted links and email attachments without first verifying their authenticity.
  • Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs. 
  • Block URLs that could be used to spread the malware, e.g., Torrent/Warez. 
  • Monitor the beacon on the network level to block data exfiltration by malware or TAs. 
  • Enable Data Loss Prevention (DLP) Solutions on employees’ systems. 

MITRE ATT&CK® Techniques  

Tactic Technique ID Technique Name 
Execution T1204 User Execution 
Persistence  T1547.001Registry Run Keys / Startup Folder
Credential Access T1555 
T1539 
T1552 
T1528 
Credentials from Password Stores 
Steal Web Session Cookie 
Unsecured Credentials 
Steal Application Access Token 
Collection T1115Clipboard Data
Command and Control T1071Application Layer Protocol 
ImpactT1565.002Data Manipulation: Transmitted Data Manipulation

Indicators of Compromise (IoCs):   

Indicators Indicator type Description 
6a977e7f362dc2d3ee994f91782624d1
ea5959210ba650b918deffd39874eba7b485ac75
cf12c493db3e63cc7556abf37c4b72dc0b9f2d0673325e4908248621102c9a66

MD5
SHA1
SHA256    
 Payload
Scroll to Top