![]() Once the manipulation is complete, the malware calls the CloseClipboard() function to release the clipboard, enabling other applications to access it again. If the desired format is present, the malware replaces the clipboard content with its malicious data using the SetClipboardData() function.By employing the IsClipboardFormatAvailable() function, the malware checks if the desired format, such as a specific cryptocurrency wallet address format, is accessible. Then, the malware utilizes the GetClipboardData() API function to retrieve the clipboard value.The Clipper malware initiates the clipper operation by invoking the OpenClipboard() function to gain clipboard access.To carry out the clipper operation, the malware executes the following actions: Figure 4 – Run entry for Atlas Clipper persistenceĪs an anti-analysis technique, the malware terminates specific processes such as “processhacker.exe,” preventing the monitoring and analyzing its malicious activities. Figure 3 – Copy of itself fileįollowing that, the clipper achieves persistence by adding the path of the dropped copy of itself file into the system’s run entry, ensuring it automatically runs when the user logs in. Once the mutex is created, the clipper creates a hidden directory called “YourDir” within the %appdata% location and drops a duplicate within that folder, as shown below. When executed, the clipper creates a mutex named “YourMutex” to ensure that only a single instance of the malware runs on the victim’s machine at the time. We have taken the below sample hash for our analysis: (SHA256), dabc19aba47fb36756dde3263a69f730c01c2cd3ac149649ae0440d48d7ee4cf, which is a 64-bit Go compiled binary executable file, as shown below. Figure 1 – Atlas Clipper advertisement in Telegram channel The figure below shows the TA’s Atlas Clipper advertisement on a Telegram channel with feature details. The Atlas Clipper utilizes a Telegram channel for Command and Control (C&C) communication. ![]() The Atlas clipper can accommodate seven crypto wallet addresses and was initially priced at $100, but it is currently available at a discounted price of $50. The observed Clipper malware variants include: Recently, CRIL has encountered several variants of Clipper malware and observed a significant number of samples related to these variants being submitted to VirusTotal. Previously, Cyble Research and Intelligence Labs (CRIL) uncovered several Clipper malware variants, including Laplas Clipper, IBAN Clipper, Keona Clipper, and many others. Once detected, the malware swiftly replaces the legitimate address with the wallet address owned by the TAs, manipulating the transaction outcome to the attacker’s advantage. By surreptitiously observing the clipboard’s contents, the clipper identifies any cryptocurrency wallet addresses that the user copies. This variant of Clipper malware’s deceptive mechanism lies in monitoring the clipboard (a crucial buffer where data is temporarily stored during copy-paste operations).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |