A crew using malware that performs cryptomining and clipboard-hacking operations have made off with at least $1.7 million in stolen cryptocurrency.
The malware, dubbed Trojan.Clipminer, leverages the compute power of compromised systems to mine for cryptocurrency as well as identify crypto-wallet addresses in clipboard text and replace it to redirect transactions, according to researchers with Symantec’s Threat Intelligence Team.
The first samples of the Windows malware appeared in January 2021 and began to accelerate in their spread the following month, the Symantec researchers wrote in a blog post this week. They also observed that there are several design similarities between Clipminer and KryptoCibule – another cryptomining trojan that, a few months before Clipminer hit the scene, was detected and written about by ESET analysts.
“While we cannot confirm if Clipminer and KryptoCube are one and the same, the design similarities are striking,” the Symantec threat hunters wrote. “It is possible that following the exposure from ESET’s blog, the KryptoCibule actors may have switched things up and launched Clipminer. Another possibility is that different threat actors may have taken inspiration from KryptoCibule and created Clipminer in its image.”
Either way, “one thing is clear,” the researchers wrote, “Clipminer has proven a successful endeavor, earning its operators a considerable amount of money.”
The malware appears to be spread through trojanized downloads of cracked or pirated software. Clipminer drops a WinRAR archive into the host and automatically extracts and drops a downloader in the form of a dynamic link library (DLL). Once executed, it ensures that it will start again if it gets interrupted. It then creates a registry value and renames itself, putting it into a Windows temporary file.
From there the malware collects details of the system and connects back to the command-and-control server (C2) over the Tor network. The malware also creates scheduled tasks to ensure persistence on the infected system and two new directories containing files copied from the host to make it less likely that the malicious files will stand out and obfuscate their existence.
An empty registry key also is created to ensure that same host isn’t infected again.
“On each clipboard update, it scans the clipboard content for wallet addresses, recognizing address formats use by a least a dozen different cryptocurrencies,” the researchers wrote. “The recognized addresses are then replaced with addresses of wallets controlled by the attacker. For the majority of the address formats, the attackers provide multiple replacement wallet addresses to choose from.”
Clipminer picks the address that matches the prefix of the address that’s being replaced, making it less likely the user will notice anything and more likely they will go ahead with the transaction.
The malware also can monitor keyboard and mouse activity to determine if the system is being used and also monitors running processes, checking for analyst and troubleshooting tools, the researchers wrote. If it appears the host system – and some of the troubleshooting tools – are not being used, the malware will crank up the XMRig cryptocurrency miner. The researchers observed there are indications that the bad actors have used other miners in the past and that it is likely a different miner is used when a dedicated GPU is available on the system.
In all, the malware holds 4,375 unique wallet addresses that are controlled by the attackers. Of those, 3,677 addresses are set aside for three formats of Bitcoin addresses. The Symantec researchers looked at the Bitcoin and Ethereum wallet addresses and found at the time that they held about 34.3 Bitcoin and 129.9 Ethereum.
At the same time, some of the funds apparently had been sent to cryptocurrency tumblers – mixing services designed to make it difficult to track the funds.
“These services mix potentially identifiable funds with others, so as to obscure the trail back to the fund’s original source,” they wrote. “If we include the funds transferred out to these services, the malware operators have potentially made at least $1.7 million from clipboard hijacking alone.”
Scott Bledsoe, CEO of data security vendor Theon Technology, told The Register that he isn’t surprised by the amount of money the bad actors made off with.
“I find it totally feasible that they would net millions if the bot was delivered to enough hosts,” Bledsoe said. “This is different in the sense that they’re basically delivering standardized mining software to computers and running it without their knowledge.”
He added that the system is “designed to work this way, assuming that the miners know their machines are running the software. This has happened a number of times in the last decade.” ®