Threat Research

CryptoClippy is Evolving to Pilfer Even More Financial Data

Securonix

CryptoClippy is evolving beyond simple crypto-wallet theft to target a broader set of Brazilian payment services, using multi-stage delivery and data-exfiltration tactics. The campaign now leverages NSIS installers, PowerShell loaders, and UAC bypass to persist and reach C2, with ongoing enhancements expected to extend its capabilities. Hashtags: #CryptoClippy #PIX #Correios #Brazil #Unit42 #flowmudy

Keypoints

  • CryptoClippy is expanding from crypto-wallet theft to reconnaissance and targeting Brazilian payment systems, increasing risk to financial data in Brazil.
  • Initial access uses NSIS installers that masquerade as legitimate applications and include Correios (Brazilian postal service) imagery.
  • The malware operates in multiple stages, including a first-stage NSIS installer, a BAT file, and a second-stage loader delivered via PowerShell, with obfuscation (RC4/XOR).
  • Clipboard theft focuses on cryptocurrency wallets and PIX data, sending stolen content to a C2 server for exfiltration.
  • Persistence and privilege escalation employ a Startup LNK (Reposita) created via a COM shell link method, a Scheduled Task, and UAC bypass using the CMSTPLUA interface.
  • The attackers configure and abuse Remote Desktop capabilities (RDP) to enable remote access, including creating a hidden admin account and lowering RDP security requirements.
  • CryptoClippy uses a C2 infrastructure with domain flowmudy.com and other domains, and deploys loader configurations and payloads from multiple sources.

MITRE Techniques

  • [T1036] Masquerading – The installer attempts to look like a legitimate application. Quote: “The installer attempts to look like a legitimate application…”
  • [T1059.001] PowerShell – The attack chain uses PowerShell to execute decoded payloads. Quote: “One of the PowerShell scripts (Reposita.ps) decodes the loader of the 2nd stage … and injects it into the currently executed process (PowerShell).”
  • [T1021.001] Remote Desktop Protocol – The script configures Remote Desktop settings to enable remote access. Quote: “The third script we decoded is responsible for enabling and setting up a configuration for the Remote Desktop Service… it sets the userAuthentication to 0 -which specifies that Network-Level user authentication is not required before the remote desktop connection is established.”
  • [T1136.001] Local Account – The malware creates a new user account and appends it to Winlogon UserList to hide it. Quote: “the script creates a new user account and appends it to: HKLM:SOFTWAREMicrosoftWindows NTCurrentVersionWinlogonSpecialAccountsUserList.”
  • [T1053.005] Scheduled Task – A scheduled task is created for persistence. Quote: “one of the files creates a scheduled task for persistence, and a BAT file executes the script – the 2nd script dropped by the malware.”
  • [T1548.002] Exploitation for Privilege Escalation (Bypass UAC) – The malware bypasses UAC via CMSTPLUA COM interface. Quote: “If the value is TokenElevationTypeLimited… it will use the CMSTPLUA COM {3E5FC7F9-9A51-4367-9063-A120244FBEC7} interface to bypass UAC and execute the script with elevated permissions.”
  • [T1027] Obfuscated/Compressed Files and Information – RC4/XOR obfuscation used to conceal payloads. Quote: “The payload is encoded with XOR, but the key is shorter.”
  • [T1055] Process Injection – The loader injects the second-stage payload into the PowerShell process. Quote: “injects it into the currently executed process (PowerShell).”
  • [T1082] System Information Discovery – The loader collects endpoint information (OS, computer name, antivirus). Quote: “The script collects information about the endpoint – computer name, the operating system name, display name, architecture, and the name of the antivirus software installed on the endpoint.”

Indicators of Compromise

  • [Hash] DLL loader – 894ad71e6fea9a5068512a7de5c2b176bc9556acf96284f131614d0e402059dc, 02af8c455fc32e0e79d5b7be2d6349ddc95d747528e328715325947217933dac
  • [Hash] .NET loader – 19f0f8831ef9d561f6dc395eff55d165d614fa06d13a9a3d39b120ef18242f12
  • [Hash] NSIS Installers – Bb242ec30689f12d10986832a8548f23b06a7c1b5988797a48c6237fd51cde49, 0b88fed305f93003c520c9c8d06d93ff8f3530548423efcbc3cdff582c23d66f, and 2 more hashes
  • [Hash] CryptoClippy samples – d2c85de7c763e8d8990d06f78f226fda36443253c63678c7c0e998499f3af61a, 02af8c455fc32e0e79d5b7be2d6349ddc95d747528e328715325947217933dac
  • [Domain] Domains used by the loader – ef0h[.]com/1/, 4a3d[.]com/1/, b3do[.]com/1/, yogarecap[.]com/1/
  • [Domain] Domains used by the malware – nicerypx[.]com, flowmudy[.]com

Read more: https://intezer.com/blog/research/cryptoclippy-evolves-to-pilfer-more-financial-data/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint