Threat Research

Cyble – Multiple New Clipper Malware Variants Discovered In The Wild

Securonix

Clipper malware variants Atlas Clipper, Keyzetsu Clipper, and KWN Clipper target cryptocurrency users by hijacking clipboard wallet addresses to divert transactions to attacker wallets. The variants use Telegram-based C2, mutex-based persistence, and several anti-analysis techniques to evade detection and maintain presence on infected systems. #AtlasClipper #KeyzetsuClipper #KWNClipper #Cyble #CRIL #TelegramChannel

Keypoints

  • Clipper malware intercepts cryptocurrency transactions by replacing copied wallet addresses with attacker addresses (clipboard hijacking).
  • Atlas Clipper supports up to seven addresses and uses Telegram for C2 communication, with published ad material and a Go-based binary sample.
  • The Atlas variant creates a single-instance mutex (“YourMutex”), drops a copy in %appdata%/YourDir, and persists via a run entry; anti-analysis measures include terminating processhacker.exe.
  • Keyzetsu Clipper delays execution, uses a mutex (“2ILdX2JpexVZieT6mPv2i6Jp3HNFPlby”), stores itself in a KMSAuto directory as accc.exe, and persists via both a run entry and a scheduled task.
  • KWN Clipper leverages clipboard APIs and a Telegram channel for C2; it also uses a memory-string indicator (“KWN”) and drops a copy in KMSAuto with a run entry.
  • The malware exfiltrates victim data to a Telegram bot (username, wallet addresses, HWID, path) and uses WebClient.DownloadString() to receive responses, then deletes the executed file but keeps the process active for persistence.
  • Hashes and IOCs are provided for Atlas, Keyzetsu, and KWN variants, including mutex names, file paths, and sample SHA256 hashes used for analysis.

MITRE Techniques

  • [T1204] User Execution – “the clipper identifies any cryptocurrency wallet addresses that the user copies.” – “The Clipper malware initiates the clipper operation by invoking the OpenClipboard() function to gain clipboard access.”
  • [T1059] Command and Scripting Interpreter – “The Atlas clipper utilizes a Telegram channel for Command and Control (C&C) communication.”
  • [T1053] Scheduled Task/Job – “The task is created with schtasks.exe … /sc daily …”
  • [T1547.001] Registry Run Keys / Start-up Folder – “persistence by adding the path of the dropped copy of itself to the system’s run entry.”
  • [T1497] Virtualization/Sandbox Evasion – “anti-analysis technique, the malware terminates specific processes such as ‘processhacker.exe’.”
  • [T1027] Obfuscated Files or Information – “obfuscated using an unknown obfuscator.”
  • [T1562] Disable or Modify Tools – “anti-analysis technique … terminates specific processes” (processhacker.exe).
  • [T1057] Process Discovery – “The malware uses a mutex to ensure that only a single instance …”
  • [T1012] Query Registry – “persistence by adding the path of the copied file to the system’s run entry.”
  • [T1082] System Information Discovery – “System information discovery” implied by environment and persistence data gathered during installation and run-entry setup.
  • [T1083] File and Directory Discovery – “creates a hidden directory … drops a copy …”
  • [T1115] Clipboard Data – “Clipboard Data” as the data being intercepted and replaced.
  • [T1071] Application Layer Protocol – “Telegram channel for C2 communication.”
  • [T1573] Encrypted Channel – “Telegram channel for C2 communication” implies encrypted/secured channel usage.

Indicators of Compromise

  • [Hash] Atlas Clipper – 95a9f65aee07cdd972376efd4c18ee7a, 0f8174aa5d8994ccb720cf5d134283502caf5ae0, dabc19aba47fb36756dde3263a69f730c01c2cd3ac149649ae0440d48d7ee4cf
  • [Hash] Keyzetsu Clipper – fd8d8e6b0480d5f4ca50c2ee6a70801bcbea912f99d2fe8fedc8caab43652688a7afd575, 4f32246f0b4adf2065c1eeb41a25086679de800702c1d5016d96749b5e4bafd5
  • [Hash] KWN Clipper – 14485f6b7327d25d8a255b9feca41e7b, 647c7a8e08533212c7c8637712e41eae0bf49055, 7bd03cdf8339f0305d41cad6d3156610517160a116ffd8a4f77e91f56f43ec2e
  • [Mutex] YourMutex – single-instance mutex used by Atlas Clipper
  • [Mutex] 2ILdX2JpexVZieT6mPv2i6Jp3HNFPlby – single-instance mutex used by Keyzetsu Clipper
  • [Directory] %APPDATA%YourDir – hidden directory created to store a dropped copy
  • [File] accc.exe – dropped copy of Keyzetsu in KMSAuto directory
  • [Directory] %ProgramData%KMSAuto – directory for a copied self-file in Keyzetsu variant

Read more: https://blog.cyble.com/2023/06/30/multiple-new-clipper-malware-variants-discovered-in-the-wild/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint