Threat Research

Cyble – Dissecting IBAN Clipper

Securonix

Two sentences: Cyble Research Labs dissected an IBAN Clipper malware that targets Windows by monitoring the clipboard and swapping bank account numbers with the attacker’s data. The malware uses remote fetching of IBANs, multithreading for speed, and persistence via startup folder and Run registry entries to execute on login.
#IBANClipper #CybleResearchLabs

Keypoints

  • IBAN Clipper is a 32-bit .NET-based binary targeting Windows and operates by watching the clipboard for bank account numbers.
  • It imports User32.dll and uses AddClipboardFormatListener to monitor clipboard changes.
  • The malware uses multithreading for rapid clipper operation and retrieves clipboard content with Clipboard.GetText().
  • When an IBAN is found, it replaces it with the attacker’s IBAN, fetched from a remote text file on the attacker’s server.
  • Persistence is achieved by copying itself to the startup folder and by adding Run registry values (e.g., Microsoft Store, Skype Web) to auto-run on reboot.
  • MITRE-mapped techniques include Clipboard Data, Registry Run Keys, and multiple Credential Access and C2/Data Manipulation techniques.

MITRE Techniques

  • [T1115] Clipboard Data – The clipper monitors the clipboard and uses the Clipboard.GetText() method to retrieve text data from the clipboard in ASCII Text or UnicodeText format. “The clipper imports the User32 library and uses the AddClipboardFormatListener method to monitor changes in the victim’s clipboard.”
  • [T1204] User Execution – The article maps this technique to execution with the label “User Execution” in the MITRE mapping.
  • [T1547.001] Registry Run Keys / Startup Folder – The clipper copies itself in the Windows startup folder causing it to automatically execute when the user logs in. “The clipper adds the following registry values under the key ‘SOFTWAREMicrosoftWindowsCurrentVersionRun’.”
  • [T1555] Credentials from Password Stores – Part of the Credential Access mapping shown in the MITRE table.
  • [T1539] Steal Web Session Cookie – Part of the Credential Access mapping shown in the MITRE table.
  • [T1552] Unsecured Credentials – Part of the Credential Access mapping shown in the MITRE table.
  • [T1528] Steal Application Access Token – Part of the Credential Access mapping shown in the MITRE table.
  • [T1115] Clipboard Data – Reiterated for collection of clipboard content as IBANs are detected and replaced. (Content quoted above)
  • [T1071] Application Layer Protocol – The article maps the behavior to C2 activity using an Application Layer Protocol channel. “Application Layer Protocol” appears in the MITRE Techniques section.
  • [T1565.002] Data Manipulation: Transmitted Data Manipulation – The clipper manipulates data (IBANs) during transmission by replacing clipboard values. “Data Manipulation: Transmitted Data Manipulation” appears in the MITRE table.

Indicators of Compromise

  • [SHA256] Payload – cf12c493db3e63cc7556abf37c4b72dc0b9f2d0673325e4908248621102c9a66
  • [SHA1] Payload – ea5959210ba650b918deffd39874eba7b485ac75
  • [MD5] Payload – 6a977e7f362dc2d3ee994f91782624d1

Read more: https://blog.cyble.com/2022/08/22/dissecting-iban-clipper/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint