- Jul 27, 2015
A crew using malware that performs cryptomining and clipboard-hacking operations have made off with at least $1.7 million in stolen cryptocurrency.
The malware, dubbed Trojan.Clipminer, leverages the compute power of compromised systems to mine for cryptocurrency as well as identify crypto-wallet addresses in clipboard text and replace it to redirect transactions, according to researchers with Symantec's Threat Intelligence Team. The first samples of the Windows malware appeared in January 2021 and began to accelerate in their spread the following month, the Symantec researchers wrote in a blog post this week. They also observed that there are several design similarities between Clipminer and KryptoCibule – another cryptomining trojan that, a few months before Clipminer hit the scene, was detected and written about by ESET analysts.
The malware appears to be spread through trojanized downloads of cracked or pirated software. Clipminer drops a WinRAR archive into the host and automatically extracts and drops a downloader in the form of a dynamic link library (DLL). Once executed, it ensures that it will start again if it gets interrupted. It then creates a registry value and renames itself, putting it into a Windows temporary file.
From there the malware collects details of the system and connects back to the command-and-control server (C2) over the Tor network. The malware also creates scheduled tasks to ensure persistence on the infected system and two new directories containing files copied from the host to make it less likely that the malicious files will stand out and obfuscate their existence. An empty registry key also is created to ensure that same host isn't infected again. "On each clipboard update, it scans the clipboard content for wallet addresses, recognizing address formats use by a least a dozen different cryptocurrencies," the researchers wrote. "The recognized addresses are then replaced with addresses of wallets controlled by the attacker.