Keypoints
- Attackers used Go-based clip banker variants that are cross-platform friendly and frequently modified while keeping core functionality intact.
- Malware creates a mutex, copies itself to %APPDATA%Roaming (or startup folder), sets hidden attributes, and adds a CurrentVersionRun registry entry for persistence.
- Execution continues only after authenticating with a Telegram bot (checks API token and expects HTTP 200), which serves as the command-and-control channel.
- The malware retrieves a unique Machine ID from the registry key SOFTWAREMicrosoftCryptography to identify victims.
- It continuously reads clipboard contents (via an open-source Go module), uses regex to detect cryptocurrency addresses, replaces found addresses with attacker addresses, and writes the modified content back to the clipboard.
- Victim telemetry (IP, location, MachineId, clipboard content, username, malware path) is sent to the attacker through the Telegram bot and specific chat IDs.
MITRE Techniques
- [T1547.001] Registry Run Keys / Startup Folder – Persistence by creating a CurrentVersionRun registry entry and copying the sample to the startup folder (‘After copying malware, a CurrentVersionRun registry is created to run the sample automatically on startup.’).
- [T1056.001] Input Capture: Clipboard Capture – The malware reads and modifies the system clipboard to replace crypto addresses (‘then reads all the clipboard content of the victim’ and writes modified content back to the victims’ clipboard).
- [T1071.001] Application Layer Protocol: Web Protocols – Uses Telegram bot API for authentication and command-and-control communication (‘the malware continues execution if and only if it establishes connection to the Telegram bot with the token in the API for authentication.’ and shows Telegram bot API URLs).
- [T1082] System Information Discovery – Retrieves a unique Machine ID from the registry key SOFTWAREMicrosoftCryptography to identify victims (‘the malware first gets the unique Machine ID of the system using registry key SOFTWAREMicrosoftCryptography’).
- [T1041] Exfiltration Over C2 Channel – Victim telemetry (IP, location, MachineId, clipboard content, username, etc.) is sent to the attacker via the Telegram bot and chat id (‘the malware forms a message which consists of IP Address,location of malware, MachineId,victim’s clipboard content ,Username, etc.’ and sends it to the bot).
Indicators of Compromise
- [File Hashes] Identified malicious binaries – 7819e8b66bbd678d9898a39630c5cb94e1d63b3ffe46b7cf0e9d4477e7ebc9a8, cf58ff751bc10914fca398a2f609114dd24005ac2307435de084488bed63a0a1, and 1 more hash
- [Telegram bot API URLs] C2 / authentication endpoints – https://api.telegram.org/bot6196834985:AAGnbCo052bvVJwExx3QNxYfeNlJP_ULQWo/getMe, https://api.telegram.org/bot6178300689:AAE_Khw1mc6SGGUGoqaAkA7LhctwrtjGxXo/getMe, and 1 more URL
- [Cryptocurrency Addresses] Attacker wallet addresses observed – bc1q8jgyp7qs6j9lstr7em94q4l8rvl7szjnzhtywq, bc1qjddsfqk3hvlr86xgtkazswtux4w8acpqm9mrle, and 1 more address
Go-based clip bankers analyzed by K7 Labs follow a clear execution and persistence flow: the binary creates a mutex to prevent multiple instances, copies itself into %APPDATA%Roaming (or directly into the Startup folder), marks the file hidden, and registers an autostart Run value under CurrentVersionRun. Execution proceeds only after validating a Telegram bot token (the sample queries the Telegram API and expects an HTTP 200 response), which the actor uses as a command-and-control channel.
Once active, the malware collects a unique identifier from the registry key SOFTWAREMicrosoftCryptography to track infected hosts, then continuously reads the system clipboard via an open-source Go module. It scans clipboard contents with regular expressions to detect cryptocurrency wallet formats, replaces detected addresses with attacker-controlled addresses while leaving surrounding text intact, and writes the modified content back to the clipboard—thereby facilitating silent theft when users paste addresses into transactions.
In parallel, the sample compiles victim telemetry (IP address, location of the malware, MachineId, clipboard content, username, malware path) and posts these details to the attacker-controlled Telegram bot using specific chat IDs. Defenders should look for the listed hashes, Telegram API endpoints, and wallet addresses as IOCs, and monitor for process behaviors that create autostart registry entries, manipulate clipboard data, and perform outbound connections to Telegram API endpoints.
Read more: https://labs.k7computing.com/index.php/crypto-stealing-clip-bankers-on-the-go/