Attackers Use Clipminer Cryptominer to Rake in $1.7MCryptomining Attacks Compromise Systems Via Trojanized Downloads, Pirated Software
Undisclosed attackers have likely stolen $1.7 million by deploying a cryptomining and clipboard hijacking malware on compromised systems, according to researchers at the Symantec Threat Hunter Team.
Cryptomining malware, dubbed Clipminer, uses a host system for resources to mine cryptocurrency. Clipboard hijacking refers to the malicious practice of replacing a victim's cryptocurrency address with an address specified by a threat actor to siphon off funds.
The attackers use Trojanized downloads or pirated software to spread the malware, the researchers say.
"The malware arrives on compromised computers as a self-extracting WinRAR archive that drops and executes a downloader in the form of a packed portable executable DLL file with CPL file extension. The dropped file connects to the Tor network to download Clipminer's components," the Symantec researchers say.
What Clipminer Does
Clipminer leverages systems that are already compromised to mine cryptocurrency and modify the clipboard's content to redirect the system users' cryptocurrency transactions to their own.
"On each clipboard update, it scans the clipboard content for wallet addresses, recognizing address formats used by at least a dozen different cryptocurrencies. The recognized addresses are then replaced with addresses of wallets controlled by the attacker. For the majority of the address formats, the attackers provide multiple replacement wallet addresses to choose from," the researchers say.
The malware also uses attacker cryptocurrency wallets whose prefixes match the victim's cryptocurrency address to manipulate the victims into proceeding with the transaction, the researchers say.
The attackers control as many as 4,375 unique wallet addresses, and 3,677 of them are used for three different formats of Bitcoin addresses, the researchers say.
The researchers found 34.3 bitcoins and 129.9 ethers during their investigation of wallets of just these two cryptocurrencies.
But it appears that the attackers also transferred more funds via cryptocurrency tumblers, they say, allowing the attackers to obfuscate the transaction trail. Explaining how cryptocurrency tumblers work, the researchers say that "these services mix potentially identifiable funds with others, so as to obscure the trail back to the fund's original source." They add: "If we include the funds transferred out to these services, the malware operators have potentially made at least $1.7 million from clipboard hijacking alone."
How Clipminer Works
The malware's initial infection chain begins with a "self-extracting WinRAR archive that drops and executes the masqueraded Control Panel file." Next steps include the execution of the dropped file, which the researchers say is a "downloader in the form of a packed portable executable DLL"; downloading and installation of the payload; and connecting to the Tor network to collect details from the affected computer.
Although the v2 Onion services used by the attackers in parts of the execution process have not been supported since 2021, "many of the nodes on the Tor network are yet to be upgraded, which indicates that these services are still reachable," the researchers say.
"The received response is roughly 10MB in size and contains the Clipminer payload, which is used to perform coin mining and clipboard hijacking on the compromised computer," they add.
The payload "monitor[s] keyboard and mouse activity to determine if the machine is in use" and "also appears to monitor running processes, checking for analysis/troubleshooting tools," they say.
According to the researchers, the malware runs the XMRig cryptocurrency miner when the victim machine is in use. They say the attackers may have earlier leveraged a different cryptocurrency miner, and that they perhaps use a different miner when a dedicated GPU is available in the victim system.
Clipminer shares some features with another cryptomining Trojan called KryptoCibule, leading the researchers to believe that Clipminer is either a copycat of the latter or an evolved version.
The researchers found evidence of Clipminer in January 2021 and activity in the malware operators' cryptocurrency wallets from February 2021. They say their findings came months after researchers at the antivirus and firewall service provider ESET discovered KryptoCibule.
"While we cannot confirm if Clipminer and KryptoCibule are one and the same, the design similarities are striking," the Symantec researchers say. "It is possible that following the exposure from ESET's blog, the KryptoCibule actors may have decided to switch things up and launched Clipminer."
Another possibility, which the researchers say is likely, is that a different set of threat actors may have been inspired by KryptoCibule to create Clipminer.