Stealing crypto-currency is not new to threat actors. Thinner profit margins from mining makes stealing the coins from wallets more lucrative. One of the common techniques is to scrape the clipboard for wallet addresses and replace them with that of the attacker’s own address. The victim is left with no knowledge of the theft happening.

In this blog, we will be looking at one such CryptoClip hijacker malware, that was generally seen to be spammed out via Discord. Discord is one of the ways to stay in touch with people of a common interest. Hence spamming out CryptoClip hijacker malware to Discord servers that discuss crypto trading, mining would mean the malware reaches people who are actively dealing with crypto currency.

An unsuspecting user could download and execute these binaries. This malware could be spammed out via the traditional e-mail attachment technique too. We found one such malware that had the filename CryptoClipWatcher.exe, probably trying to pose as the safe CryptoClipWatcher tool.

Binary Overview

This binary is .NET compiled

Figure 1: Version info of the malware

This file’s version information and the internal name was spoofed to be like svchost.exe.  Legitimate svchost.exe file would be Microsoft Visual C++ 8 compiled, and not .NET as observed in Figure 1. The file is also signed with a fake digital certificate as shown Figure 3.

Figure 2: Digital Certificate information

The malware uses a simple decryption logic for all its encrypted data. First the encrypted string  and a key ( ‘UUdkUzZTQkFtMXlKTkE3Zw==’)  is decoded in base64 format. Then the decoded string is XORed with the decoded key.  Figure 3 depicts this decryption process.

Figure 3: Code to decrypt/decode

Even the file’s original filename was seen as base64 encoded and XOR encrypted. The decoded value was EjUdI0I8AS0EQS4rOiJfAiM=: crypto clip watcher.  which as mentioned earlier is the name of a legitimate crypto tool.

Figure 4: Original file name

Persistence technique used in this binary file

On statically analyzing the decompiled IL binary we found the reference to a persistence entry in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup where the malware self copies and executes itself under the guise of svchost32.exe. Adds the same filepath to the run entry as well, under the subkey “Host Process for Windows Services” as shown in Figure 5.

Figure 5: Persistence entry in registry

Uses one another standard technique of adding scheduled tasks using cmd.exe.

Figure 6: Process tree of the malware

The self-copied file svchost32.exe is scheduled to be executed every minute by creating a job file as shown in Figure 7.

Figure 7: The previous command line as seen statically in the decompiled binary

Malware Mechanism

This file has 38 crypto wallet addresses of the attacker, few of the shown in Figure 8. This addresses are also encoded with base64 and XORed with the key.

Figure 8: List of crypto currency that are targeted by the malware

Some of the transactions to this wallet are shown below in Figure 9.

Figure 9: Encoded wallet address in decompiled code and decoded address.

A regex pattern(“\b(79|380)[0-9]{9}\b”) is used by this malware to scrape for crypto wallet addresses. Once that is done the malware validates to which currency the scraped wallet is relevant to, using the currency wallet specific regex. These regexes are also encoded as shown in Figure 10.

Figure 10: Currency specific regex encoded/decoded

The user wallet address in the clipboard is replaced with the malware author’s wallet address. The code snippet to find and  replace the clipboard content is shown in Figure 11.

Figure11: Get/Set text from clipboard

We checked one of the attacker’s crypto wallet addresses and found a couple of transactions being made to it,  which roughly translates to about 100$.

Transactions

Figure 12:  Transaction showing transfer of the crypto to the attackers’ wallet address

It is always advisable to download tools or applications from reputable sources and exercise caution while using any such binaries. It is also always advisable to use a security software like K7 Total Security.

Indicators Of Compromise (IOCs) and Detections

Hash                                      3488617002B1652F487D5AD410CB92AF

Detection Name                   Trojan(00545fd01)

Original File Name              crypto clip watcher.exe

Mutex                                   2c092895c2e64adb

Behavior                              suspicious program (ID 700018)

Like what you're reading? Subscribe to our top stories.

If you want to subscribe to our monthly newsletter, please submit the form below.

    0 replies on “CryptoClip Hijacker”