Threat Research

Cyble – Hunters Become The Hunted

Securonix

AvD crypto stealer is a disguise for a Clipper variant that reads and edits clipboard content to swap crypto wallet addresses. The actor offers one month of free access to attract more users, with targets including other threat actors and six supported chains. #AvDcryptoStealer #Clipper

Keypoints

  • New malware named “AvD crypto stealer” appears on a cybercrime forum but is a disguised Clipper that can read and edit text copied by the victim to steal crypto wallet information.
  • The threat actor offers one month of free access to entice more individuals to use the tool, aiming at other threat actors as a primary audience.
  • Claims support for six chains: Ethereum, Binance Smart Chain, Fantom, Polygon, Avalanche, and Arbitrum.
  • The clipper targets clipboard content by replacing copied crypto addresses with attacker-controlled addresses, risking incorrect transfers if victims don’t verify addresses.
  • Technical details include a self-extracting installer, a .NET payload, and a process flow that uses clipboard monitoring and regex to identify addresses.
  • Persistence and data handling involve a startup copy for persistence and logging data to a URL via the Addresses class.
  • MITRE ATT&CK mapping includes Phishing, User Execution, Boot/AutoStart, Clipboard Data, and Exfiltration Over Web Service as described in the article.

MITRE Techniques

  • [T1566] Phishing – The TA entices potential victims with one month of free access on a cybercrime forum to attract users. Quote: “The TA is providing one month of free access to entice more individuals to use it.”
  • [T1204] User Execution – The malware starts from an installation file described as a Self-Extracting archive. Quote: “The execution of malware starts from an installation file, which is Self-Extracting.”
  • [T1547] Boot or Logon AutoStart Execution – The malware copies itself into the startup location to establish persistence. Quote: “After creating the mutex, the malware copies itself into the startup location to establish its persistence and executes ClipboardNotification.NotificationForm()”
  • [T1115] Clipboard Data – The clipper monitors the clipboard, extracts data, and replaces crypto addresses. Quote: “The malware extracts the data from the clipboard and then uses a regular expression to find the crypto addresses. If there’s a match, the malware replaces the address with one specified by TA.”
  • [T1567] Exfiltration Over Web Service – The clipboard component also sends data for logging to a URL in the Addresses class. Quote: “Clipboard is also responsible for sending the data for logging purposes to the URL present in the Addresses class.”

Indicators of Compromise

  • [SHA-256] Payload File – b6135c446093a19544dbb36018adb7139aa810a3f3eaa45663dc54448fe30e39
  • [SHA-256] Installation file – deaad208c6805381b6b6b1960f0ee149a88cdae2579a328502139ffc5814c039
  • [MD5] Installation file – 012fca9cf0ac3e9a1c2c1499dfdb4eaf
  • [SHA-1] Installation file – 47480d9b4df34ea1826cd2fafc05230eb195c0c2

Read more: https://blog.cyble.com/2022/03/22/hunters-become-the-hunted/