What is clipper malware?
A clipper malware is a piece of software that once running on a computer will constantly check the content of the user’s clipboard and look for cryptocurrency wallets. If the user copies and pastes the wallet somewhere, it is replaced by another wallet, owned by the cybercriminal.
This way, if an unsuspecting user uses any interface to send a cryptocurrency payment to a wallet, which is generally done by copying and pasting a legitimate destination wallet, it gets replaced by the fraudulent one.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Clipper malware is not a new threat, but it is unknown to most users and companies. The first clipper malware appeared in 2017 on Windows operating systems. Such malware also appeared on the Google Play Store in 2019. That malware impersonated MetaMask, a popular crypto wallet, and aimed at stealing credentials and private keys to steal Ethereum funds from the victims, in addition to changing the wallets in the clipboard to obtain more cryptocurrency.
Clipper attacks work very well because of the length of cryptocurrencies wallets. People transferring cryptocurrencies from their wallet to another rarely check that the copy/paste result is indeed the one that is provided by a legitimate receiver.
What is Keona Clipper?
Researchers from Cyble analyzed a new Clipper malware named Keona Clipper by its developer (Figure A).
Figure A
The malware is sold as a service at the price of $49 for one month.
Keona Clipper was developed in the .NET programming language and protected by Confuser 1.x. This tool protects .NET applications by renaming symbols, obfuscating the control flow, encrypting constant and resources, using protections against debugging, memory dumping, tampering and disabling decompilers, making it harder for reverse engineers to analyze it.
Cyble researchers could identify over 90 different Keona samples since May 2022, showing wide deployment. The difference in those Keona samples might be slight modifications in the code, or just the result of several uses of the Confuser protector, which would generate a different binary each time a sample is submitted to avoid being detected by security solutions based on file signature only.
Keona Clipper’s malware capabilities
Once executed, the malware communicates with an attacker-controlled Telegram bot via the Telegram API. The first communication from the malware to the bot contains a message written in the Russian language which can be translated as “clipper has started on the computer” and contains the username of the user whose account is used by the malware.
The malware also makes sure it will always be executed, even if the computer restarts. To ensure that persistence, the malware copies itself to several locations, including the Administrative Tools folder and the Startup folder. Autostart entries in the Windows registry are also created to ensure the malware is run every time the computer restarts.
Keona Clipper then quietly monitors for any clipboard activity and uses regular expressions to check for any cryptocurrency wallets. Keona Clipper can steal more than a dozen different cryptocurrencies: BTC, ETH, LTC, XMR, XLM, XRP, NEC, BCH, ZCASH, BNB, DASH, DOGE, USDT TRC20 and ADA coins.
If a wallet is found, it is replaced immediately in the clipboard by a wallet address provided by the threat actor.
A screen capture from Cyble shows a Bitcoin wallet controlled by the threat actor. That wallet is tied to 60 transactions, for a total amount of approximately $450 (Figure B).
Figure B
While this amount of money might seem quite small, attackers often use different wallets for several different kinds of cryptocurrencies. This amount should therefore be seen as just one part of the attacker’s financial gain.
How to protect yourself from this threat
A careful check should be done for every payment done in cryptocurrency. Users should visually confirm the wallet used as the destination for the transaction by comparing the result of their copy/paste manipulation to the wallet provided by the seller.
Private keys and seeds for wallets should never be stored unsafely on any device. These should be stored encrypted, if possible, on a separate storage device or on a physical hardware wallet.
Security products should be deployed to detect the threat. Not knowing the initial vector of propagation for Keona, we suspect it might be emails, so e-mail based security needs to be deployed. User awareness should also be raised on email fraud and phishing.
Finally, the operating system and all software running on it should always be kept up to date and patched. In case the malware is dropped and executed on the system via the leveraging of a common exploit, a patched system is very likely to stop the threat.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.