Blockchain & Cryptocurrency , Cryptocurrency Fraud , Endpoint Security

Attackers Use Clipminer Cryptominer to Rake in $1.7M

Cryptomining Attacks Compromise Systems Via Trojanized Downloads, Pirated Software
Attackers Use Clipminer Cryptominer to Rake in $1.7M
Clipminer replaces cryptocurrency wallet addresses with those of the attackers. (Source: Symantec)

Undisclosed attackers have likely stolen $1.7 million by deploying a cryptomining and clipboard hijacking malware on compromised systems, according to researchers at the Symantec Threat Hunter Team.

See Also: Splunk Named a 10-Time Leader in Gartner® Magic Quadrant™ for SIEM

Cryptomining malware, dubbed Clipminer, uses a host system for resources to mine cryptocurrency. Clipboard hijacking refers to the malicious practice of replacing a victim's cryptocurrency address with an address specified by a threat actor to siphon off funds.

The attackers use Trojanized downloads or pirated software to spread the malware, the researchers say.

"The malware arrives on compromised computers as a self-extracting WinRAR archive that drops and executes a downloader in the form of a packed portable executable DLL file with CPL file extension. The dropped file connects to the Tor network to download Clipminer's components," the Symantec researchers say.

What Clipminer Does

Clipminer leverages systems that are already compromised to mine cryptocurrency and modify the clipboard's content to redirect the system users' cryptocurrency transactions to their own.

"On each clipboard update, it scans the clipboard content for wallet addresses, recognizing address formats used by at least a dozen different cryptocurrencies. The recognized addresses are then replaced with addresses of wallets controlled by the attacker. For the majority of the address formats, the attackers provide multiple replacement wallet addresses to choose from," the researchers say.

The malware also uses attacker cryptocurrency wallets whose prefixes match the victim's cryptocurrency address to manipulate the victims into proceeding with the transaction, the researchers say.

The attackers control as many as 4,375 unique wallet addresses, and 3,677 of them are used for three different formats of Bitcoin addresses, the researchers say.

The researchers found 34.3 bitcoins and 129.9 ethers during their investigation of wallets of just these two cryptocurrencies.

But it appears that the attackers also transferred more funds via cryptocurrency tumblers, they say, allowing the attackers to obfuscate the transaction trail. Explaining how cryptocurrency tumblers work, the researchers say that "these services mix potentially identifiable funds with others, so as to obscure the trail back to the fund's original source." They add: "If we include the funds transferred out to these services, the malware operators have potentially made at least $1.7 million from clipboard hijacking alone."

How Clipminer Works

The malware's initial infection chain begins with a "self-extracting WinRAR archive that drops and executes the masqueraded Control Panel file." Next steps include the execution of the dropped file, which the researchers say is a "downloader in the form of a packed portable executable DLL"; downloading and installation of the payload; and connecting to the Tor network to collect details from the affected computer.

Although the v2 Onion services used by the attackers in parts of the execution process have not been supported since 2021, "many of the nodes on the Tor network are yet to be upgraded, which indicates that these services are still reachable," the researchers say.

"The received response is roughly 10MB in size and contains the Clipminer payload, which is used to perform coin mining and clipboard hijacking on the compromised computer," they add.

The payload "monitor[s] keyboard and mouse activity to determine if the machine is in use" and "also appears to monitor running processes, checking for analysis/troubleshooting tools," they say.

According to the researchers, the malware runs the XMRig cryptocurrency miner when the victim machine is in use. They say the attackers may have earlier leveraged a different cryptocurrency miner, and that they perhaps use a different miner when a dedicated GPU is available in the victim system.

Copycat Malware?

Clipminer shares some features with another cryptomining Trojan called KryptoCibule, leading the researchers to believe that Clipminer is either a copycat of the latter or an evolved version.

The researchers found evidence of Clipminer in January 2021 and activity in the malware operators' cryptocurrency wallets from February 2021. They say their findings came months after researchers at the antivirus and firewall service provider ESET discovered KryptoCibule.

"While we cannot confirm if Clipminer and KryptoCibule are one and the same, the design similarities are striking," the Symantec researchers say. "It is possible that following the exposure from ESET's blog, the KryptoCibule actors may have decided to switch things up and launched Clipminer."

Another possibility, which the researchers say is likely, is that a different set of threat actors may have been inspired by KryptoCibule to create Clipminer.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.