This new malware redirects cryptocurrency payments to wallets controlled by attackers

Image: ~Amer~/Adobe Stock


To advertise

What is clipper malware?

Clipper malware is software that, when run on a computer, continuously checks the contents of the user’s clipboard and searches for cryptocurrency wallets. If the user copies and pastes the wallet somewhere, it will be replaced with another wallet owned by the cybercriminal.

This way, if an unsuspecting user uses an interface to send a cryptocurrency payment to a wallet, which is usually done by copying and pasting a legitimate destination wallet, they will be replaced by the fraudulent wallet.

TO SEE: Password Breach: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)

Clipper malware is not a new threat, but it is unknown to most users and businesses. The first clipper malware appeared on Windows operating systems in 2017. Such malware also appeared on the Google Play Store in 2019. This malware masqueraded as MetaMask, a popular crypto wallet, and aimed to steal credentials and private keys to steal Ethereum funds from victims, in addition to changing wallets on the clipboard to get more cryptocurrency.

Clipper attacks work very well due to the length of cryptocurrency wallets. People who transfer cryptocurrencies from one wallet to another rarely verify that the copy/paste result is the result of a legitimate recipient.

What is Keona Clipper?

Cyble researchers have analyzed a new Clipper malware called Keona Clipper by the developer (Image A

Image A

keona figa
Image: Cybel. Keona Clipper malware as advertised on a Russian speaking Dark Web forum.

The malware is sold as a service for $49 per month.

Keona Clipper is developed in the .NET programming language and is protected by Confuser 1.x. This tool protects .NET applications by renaming symbols, obfuscating the control flow, encrypting constants and resources, using debug protection, core dumping, tampering, and disabling decompilers, which complicate analysis by reverse engineers.

Cyble researchers have been able to identify more than 90 different Keona samples since May 2022, demonstrating broad application. The difference between these Keona samples could be minor changes to the code, or simply the result of multiple uses of the Confuser protector, which generates a different binary each time a sample is sent to avoid being detected by security solutions that are based solely on the file signature. †

Keona Clipper Anti-Malware Capabilities

Once executed, the malware communicates with an attacker-controlled Telegram bot via the Telegram API. The malware’s first communication to the bot contains a message in Russian that can be translated as “the clipper has started on the computer” and contains the username of the user whose account is being used by the malware.

The malware also keeps it running even when the computer is restarted. To ensure this persistence, the malware copies itself to multiple locations, including the Administrative Tools folder and the Startup folder. Autostart entries in the Windows registry are also created to ensure that the malware is run every time the computer is restarted.

Keona Clipper then discreetly monitors all clipboard activity and uses regular expressions to monitor cryptocurrency wallets. Keona Clipper can steal more than a dozen different cryptocurrencies: BTC, ETH, LTC, XMR, XLM, XRP, NEC, BCH, ZCASH, BNB, DASH, DOGE, USDT TRC20 and ADA coins.

If a wallet is found, it is immediately replaced in the clipboard with a wallet address specified by the threat actor.

A screenshot of Cyble shows a Bitcoin wallet managed by the threat actor. This wallet is associated with 60 transactions, totaling approximately $450 (Figure B

Figure B

keona figb
Image: Cybel. Transaction data for an attacker-controlled bitcoin wallet.

While this amount may seem quite small, attackers often use different wallets for different types of cryptocurrencies. This amount should therefore only be considered as part of the attacker’s financial gain.

Any payment in cryptocurrency requires careful verification. Users must visually confirm the wallet used as the destination of the transaction by comparing the result of their copy/paste manipulation with the wallet provided by the merchant.

Private keys and wallet seeds should never be stored insecurely on any device. If possible, these should be stored encrypted on a separate storage device or on a physical hardware wallet.

Security products must be deployed to detect the threat. Since we don’t know Keona’s initial spread vector, we suspect it could be emails. Email-based security should therefore be deployed. Users should also be made aware of email fraud and phishing.

Finally, the operating system and any software running on it should always be updated and patched. In the event that the malware is dropped and run on the system through the exploitation of a common exploit, there is a good chance that a patched system will stop the threat.

Disclosure: I work for Trend Micro, but the opinions expressed in this article are my own.

Leave a Comment