Cyble Research and Intelligence Labs (CRIL) uncovered an active malware campaign targeting cryptocurrency users, deploying deceptive phishing sites that impersonate Metamask, WazirX, Luno, and Cryptonotify. The campaign uses the XPhase Clipper to intercept and modify crypto wallet addresses via clipboard manipulation, delivered through a multi-stage infection chain including a dropper, VBScript, batch scripts, and a DLL payload.
#XPhaseClipper #Metamask #WazirX #Luno #Cryptonotify #Cyble #CRIL
#XPhaseClipper #Metamask #WazirX #Luno #Cryptonotify #Cyble #CRIL
Keypoints
- CRIL identifies an active malware campaign targeting cryptocurrency users.
- Phishing sites impersonate popular crypto apps (Metamask, WazirX, Luno, Cryptonotify) to lure victims.
- All phishing sites distribute the same clipper payload, named “XPhase Clipper,” to intercept and modify wallet addresses copied by users.
- Infection chain is multi-stage: a zip dropper, VBScript, Batch script, then a DLL clipper payload.
- TA targets Indian users via WazirX phishing site; some domains link to Russia, including a Russian-language Cryptonotify site, and a YouTube channel with clone content is used to promote the campaign.
- The TA reused domains tied to prior campaigns and used a YouTube account with over 150K subscribers to clone a video, suggesting links to a December 2022 phishing campaign.
MITRE Techniques
- [T1585] Establish Accounts – Uses YouTube account for spreading the malicious URL. (‘Uses YouTube account for spreading the malicious URL’)
- [T1566] Phishing – This malware reaches users via phishing sites. (‘This malware reaches users via phishing sites.’)
- [T1204] User Execution – The user needs to manually execute the file downloaded from the phishing site. (‘The user needs to manually execute the file downloaded from the phishing site.’)
- [T1059.005] VBScript – Uses Visual Basic Script to execute the batch script. (‘Uses Visual Basic Script to execute the batch script.’)
- [T1059.003] Windows Command Shell – Uses batch script to execute the clipper payload. (‘Uses batch script to execute the clipper payload.’)
- [T1547.001] Boot or Logon Autostart Execution – Uses Registry run keys. (‘Uses Registry run keys.’)
- [T1036.008] Masquerading – Downloads file disguised as a legitimate application. (‘Downloads file disguised as a legitimate application.’)
- [T1115] Clipboard Data – Monitors clipboard data and replaces crypto address with their address. (‘Monitors clipboard data and replaces crypto address with their address.’)
- [T1657] Financial Theft – Swaps crypto address to transfer funds to TA’s crypto address. (‘Swaps crypto address to transfer funds to TA’s crypto address.’)
Indicators of Compromise
- [URL] Phishing Sites – metamaskapp.space, cryptonotify.ru, wazirxapp.space, lunoapp.space, coinsbot.space and coinbaseapp.space
- [SHA256] Dropper – c69045a04115dabc6fe35ce6429f46f867eba680f3c863ff920daa9d1480e7a1, e116fa2900a6e0f1aa448be9dacd06ffa84f2adb48f03ad5c5b02fb1fb29f0b3, and 6 more hashes
- [SHA256] XPhase Clipper – 3bd57de116ae8a4f7dc69ac6fa73358e2063ea2b9c90fcb5886c3ccd35f5c524 and 2 more hashes
- [IP] Malicious IP – 31.31.198.206
- [Domain] Phishing domains – metamaskapp.space, wazirxapp.space, lunoapp.space, cryptonotify.ru, coinsbot.space, and coinbaseapp.space
- [File] Dropped files – wazirXv23.exe, runsys64.vbs, runsys64.bat, runsys64.dll