Broadcom Software has exposed Clipminer, a crypto-mining Trojan that also hijacks clipboard data to steal cryptocurrency, potentially earning operators at least $1.7 million. Symantec describes Trojan.Clipminer as bearing similarities to KryptoCibule and notes its Tor-enabled, downloader-heavy infection chain spread via cracked software.
#Clipminer #KryptoCibule #Tor #OnionService #Bitcoin #Ethereum #XMRig #ClipboardHijacking
#Clipminer #KryptoCibule #Tor #OnionService #Bitcoin #Ethereum #XMRig #ClipboardHijacking
Keypoints
- Clipminer is a crypto-mining Trojan (Trojan.Clipminer) that also hijacks clipboard content to redirect cryptocurrency transactions.
- It appears to be spread through Trojanized downloads of cracked or pirated software and arrives as a self-extracting WinRAR archive dropping a packed downloader DLL with a CPL extension.
- The malware connects to the Tor network to fetch its components and to communicate with its operators, including sending machine data to an Onion Service.
- Clipboard hijacking involves replacing wallet addresses in the clipboard with attacker-controlled addresses, with thousands of wallet addresses embedded in the malware.
- Operating funds include Bitcoin and Ethereum, with evidence pointing to cryptocurrency tumblers used to obscure the trail, contributing to an estimated $1.7 million in gains from clipboard theft alone.
- Persistence is achieved via RunOnceEx registry keys and scheduled tasks, and the loader drops into carefully named directories to avoid detection.
- The malware harvests system information, captures screenshots, and uses XMRig (or other miners) to mine when the machine is idle or underutilized, potentially leveraging GPUs as needed.
MITRE Techniques
- [T1189] Drive-by Compromise β Spread via Trojanized downloads of cracked or pirated software. βspread via Trojanized downloads of cracked or pirated softwareβ
- [T1090] Proxy β Use of Tor to retrieve components and communicate with C2. βThe malware then connects to the Tor network.β
- [T1115] Clipboard Data β Intercept and replace wallet addresses in clipboard. βThe malware then copies the clipboard content and replaces addresses with wallets controlled by the attacker.β
- [T1082] System Information Discovery β Collect machine details for exfiltration. βIt then collects details from the affected computer, as shown in the following example.β
- [T1113] Screen Capture β Capture desktop screenshots. β1920:1200:[DESKTOP_SCREENSHOT_AS_BASE64_ENCODED_PNG]β
- [T1496] Resource Hijacking β Mine cryptocurrency using XMRig when the machine is idle. βWhenever the malware determines that a machine is not in use, it starts the XMRig cryptocurrency miner.β
- [T1053] Scheduled Task β Create scheduled tasks for persistence. βIt creates scheduled tasks β¦ to execute the load point for persistence.β
Indicators of Compromise
- [File hash] File hash β bd48b5da093a37cfa5e3929c19ac06ce711bd581bc49040e68d2ba0e5610bf71 (Dropper)
- [File hash] File hash β 1d31bea6a065fa20cf41861d21b7ea39979d40126c800ebc87d07adb41fe03f4 (Downloader)
- [File hash] File hash β f49a5a0f2397609a3fb97728b5a997eb77cfa1b529188403fb5e8adaeac1860b (Packed load point)
- [File hash] File hash β 12e6883046e2c92cbe3b5706ea7f1181b44512f179c7f04e88e75f3f6e392a48 (Downloader)
- [File name] rhnoiniye_ni.dll β Packed load point (example file name)
- [File name] imsgt_dvepr.dll β Used in RegAsm.dll path (example file name)
- [URL] http://[HOST_IP_AND_PORT]/tor/status-vote/current/consensus.z β Tor consensus data fetch URL
- [Onion Service] miwia5zo4oxcj7n6:11472 β Example Onion Service endpoint
- [Onion Service] 6lmt3ott62q5pwae:52403 β Example Onion Service endpoint
- [IP Address] 94.75.205.148 β Miner pool endpoint observed in command line
- [IP Address] 179.60.146.9 β Another miner pool endpoint observed in command line