Threat Research

Distribution of ClipBanker Disguised as Malware Creation Tool – ASEC BLOG

Securonix

AhnLab ASEC reports ClipBanker being distributed as a malware-creation tool on a site called “Russia black hat,” with attackers bundling both malware and the tool (Quasar RAT builder). The dropper uses crack.exe to launch ClipBanker, which then runs in the background and monitors the clipboard to replace cryptocurrency wallet addresses with attacker-controlled ones.
#ClipBanker #QuasarRAT

Keypoints

  • ClipBanker is distributed as part of malware-creation tools on a site that also hosts hacking tools, enabling attackers to spread both the tool and the malware.
  • The distribution links point to multiple file-hosting sites (Mirrored.to, anonfiles, MEGA), delivering the same rar compressed file.
  • Decompressing the downloaded file yields a dropper built with WinRAR Sfx that creates Quasar RAT and ClipBanker components in a designated path.
  • The dropper disguises itself by creating crack.exe, which is actually ClipBanker; the dropper then runs crack.exe and terminates to run ClipBanker in the background.
  • crack.exe copies itself to the startup folder to achieve persistence after reboot.
  • ClipBanker actively monitors the clipboard for cryptocurrency wallet addresses (Bitcoin, Ethereum, Monero) and replaces copied addresses with attacker addresses.
  • AhnLab’s threat intelligence notes specific detections and MD5 IOCs for both the dropper and ClipBanker.

MITRE Techniques

  • [T1105] Ingress Tool Transfer – The dropper downloads the same rar file from external hosts; “The links connect to Mirrored.to, anonfiles, and MEGA respectively, downloading the same rar compressed file.”
  • [T1027] Obfuscated/Compressed Files and Information – Decompressing the downloaded file will create a dropper developed with WinRAR Sfx.
  • [T1547.001] Boot or Logon Autostart Execution – The dropper copies itself to the startup folder so that it can be run after reboot. “””
  • [T1036] Masquerading – crack.exe is actually ClipBanker; the dropper uses a cracked-looking file name to mislead users. “crack.exe is actually ClipBanker.”
  • [T1115] Clipboard Data – The malware monitors the clipboard and changes wallet addresses when a copied address matches targeted patterns; “periodically monitors the clipboard to check if the copied string matches the regular expression shown below… and changes it to the attacker’s wallet address.”

Indicators of Compromise

  • [Domain] Mirrored hosting – Mirrored.to, used to deliver the same rar file.
  • [Domain] Anonymous file hosts – anonfiles, used to deliver the same rar file.
  • [Domain] Cloud storage domain – MEGA, used to deliver the same rar file.
  • [MD5] Dropper – dbf17f8f9b86b81e0eee7b33e4868002
  • [MD5] ClipBanker – d2092715d71b90721291a1d59f69a8cc
  • [File Name] crack.exe – the file named as a crack tool but actually ClipBanker
  • [File Name] Quasar.exe – Quasar RAT builder component present in the dropper payload
  • [Wallet Address] Bitcoin – 3JMkKMnoYW1r1vWMrkKmjHmb1tPfZMajcm
  • [Wallet Address] Ethereum – 0x9399Caa2df99fb4F17b1D914d842711eBFf3e4F4
  • [Wallet Address] Monero – 8A9Wt3hrxTG8qXQFjeyNLkF9a9AJPfWWxSc6Fyv4suBe2xqZMGFbhrnMSRysAEYuT7LzpBsTYM4RJ8V2xWghttbNRG4Luiu
  • [Detection] AhnLab V3 aliases – Dropper/Win.ClipBanker.C5014841; Malware/Win32.RL_Generic.C4356076

Read more: https://asec.ahnlab.com/en/32825/