Threat Research

CryptoClippy Speaks Portuguese

Securonix

Unit 42 uncovered CryptoClippy, a cryptocurrency clipper that targets Portuguese speakers by watching the clipboard for wallet addresses and replacing them with attacker-controlled addresses. The campaign delivers multi-stage PowerShell loaders via malvertising and uses obfuscation and RC4 encryption to evade defenses, with persistence through startup and scheduled tasks; protections exist in Cortex XDR and DNS filtering for Palo Alto Networks devices. #CryptoClippy #WhatsAppWeb #tunneldrive.com #mydigitalrevival.com #BTC #ETH

Keypoints

  • CryptoClippy is a cryptocurrency clipper that monitors the clipboard and replaces wallet addresses with attacker-controlled addresses.
  • The campaign uses malvertising and traffic distribution systems (TDS) to redirect Portuguese-speaking users to malicious domains spoofing WhatsApp Web.

MITRE Techniques

  • [T1189] Drive-by Compromise – Delivery via malvertising leading Portuguese-speaking users to attacker domains; “SEO poisoning … threat actor-controlled domain.”
  • [T1059.001] PowerShell – Stage 1/Stage 2 loaders executed via obfuscated PowerShell scripts (e.g., “The first PowerShell script loader … The Ricoly.ps1 script’s purpose is to decrypt the second-stage obfuscated/encrypted script ps.”).
  • [T1055] Process Injection – Loader injects its stealer into svchost.exe; “inject its stealer component into svchost.exe.”
  • [T1027] Obfuscated/Compressed Files and Information – Use of obfuscated/encrypted payloads and encoded payloads; “obfuscated PowerShell scripts and encoded payloads.”
  • [T1047] Windows Management Instrumentation – Script contains elements of WMI; “This script contains elements of Windows Management Instrumentation (WMI).”
  • [T1021.001] Remote Services – RDP backdoor established via RC4-encrypted PowerShell script; “Remote Desktop Protocol (RDP) backdoor …”
  • [T1053] Scheduled Task – Persistence via scheduled task execution (e.g., “gains persistence by creating a scheduled task.”).
  • [T1112] Modify Registry – Registry modifications related to terminal services; “registry modifications of terminal services.”
  • [T1136] Create Account – Local account creation as part of backdoor/persistence; “local account creation.”
  • [T1056] Input Capture – Clipboard monitoring and manipulation via SetWinEventHook and clipboard APIs; “setup event hooks … clipboard data.”
  • [T1071.001] Web Protocols – C2 communications over web protocols; “communicate with C2 servers.”
  • [T1564.001] Hide Artifacts: Hide Artifacts/Obfuscated Files – Anti-analysis and obfuscation to evade detection; “obfuscated PowerShell scripts and encoded payloads.”

Indicators of Compromise

  • [File Name] context – WhatsApp-RKQT.lnk, WhatsApp.Zip, Ricoly.bat, Ricoly.ps1, ps.ps1, sc, pf, Tozzia.bat, Tozzia.ps1 (and other deobfuscated/deobfuscated variants)
  • [Hash] context – 7db350f9ec3adb2b7f9a3e9e58c69112b5a7e2ed0337a1c4ac55c9a993116f5c, 15f9645e5621e87c96aa6c3497dde36ba83ec80d5f8f43c7cd809e8a636444e5, and 2 more hashes
  • [Domain] context – tunneldrive.com, mydigitalrevival.com, and 4 more domains (e.g., preflightdesign.com, pickconferences.com, hollygap.com, yogasmob.com)
  • [IP Address] context – 104.21.7.130:80, 172.67.160.80:80, 172.67.134.21:443, 104.21.5.250:443
  • [Wallet Address] context – 0xdB055877e6c13b6A6B25aBcAA29B393777dD0a73, 1MVUhqKLr8eEDazESmxxc4mvu6YTaMudMF
  • [Other] context – Ricoly.lnk, WhatsApp.zip, Tozzia.ps1, Tozzia.bat, pf, sc, sc_embedded_payload

Read more: https://unit42.paloaltonetworks.com/crypto-clipper-targets-portuguese-speakers/