Threat Research

Fileless Pure Clipper Malware: Italian Users In The Crosshairs – Cyble

Securonix

Cyble reports a threat actor targeting Italian-speaking users with a Tor Browser phishing site delivering a fileless Pure Clipper campaign. The operation uses a .NET dropper obfuscated with SmartAssembly, loads loader/crypto payloads, stores data in the registry, and exfiltrates clipboard data and screenshots via Discord to monetize cryptocurrency theft. #PureClipper #Alibaba2044 #PureLogs #PureCoder #TorProject

Keypoints

  • Threat Actor targeted Italian-speaking users using a Tor Browser phishing site impersonating the official Tor Project site.
  • The delivered executable is a .NET dropper obfuscated with SmartAssembly that drops a legitimate Tor Installer and the PureCrypter loader for Pure Clipper.
  • Pure Clipper was developed by the same actor behind PureLogs; Alibaba2044 is suspected to be the operator behind these campaigns in Italy.
  • The attackers used PureCrypter as a loader, stored payload data in the Windows Registry (fileless storage), and created a Task Scheduler entry for persistence.
  • The clipper swaps cryptocurrency addresses in the clipboard, captures a screenshot, and exfiltrates both addresses and the image to the attacker via a Discord webhook.
  • CRIL noted a TA-on-TA phishing operation on a cybercrime forum involving an InfoStealer, suggesting aggressive techniques within the same actor ecosystem.
  • Overall, the campaign highlights persistent financial motivation and risks to cryptocurrency users, with a pattern linking to Alibaba2044.

MITRE Techniques

  • [T1566] Phishing – The malware reaches users via phishing sites. Quote: “The initial infection starts with the phishing site hxxps[:]//torprojectdownloadfree[.]site, which impersonates the official Tor Project website.”
  • [T1204] User Execution – The user needs to manually execute the file downloaded from the phishing site. Quote: “The user needs to manually execute the file downloaded from the phishing site.”
  • [T1059.001] PowerShell – Uses a PowerShell script to load the clipper from the registry. Quote: “C:WindowsSysWOW64WindowsPowerShellv1.0powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -NoProfile -NoExit -Enc {base64encoded PowerShell script}”
  • [T1053] Scheduled Task/Job – Creates a Task Scheduler entry (“ehac”) to run a base64 PowerShell command every minute. Quote: “Task Scheduler entry named ‘ehac.’ This task is designed to execute the following command after a delay of one minute…”
  • [T1036] Masquerading – The dropper drops files disguised as legitimate applications (e.g., torbrowser-install-win64-12.5.3_ALL.exe). Quote: “the following names in the %temp% directory : torbrowser-install-win64-12.5.3_ALL.exe: Clean Tor Installer file”
  • [T1112] Modify Registry – Stores payload bytes in the Windows Registry under a value named “ehac” (fileless storage). Quote: “stores the bytes of the ScHoster.exe file in reverse order in the Registry Value ‘ehac’.”
  • [T1027] Obfuscated/Compressed Files and Information – Payloads are obfuscated and decrypted/decoded (PureCrypter). Quote: “PureCrypter uses obfuscation techniques, such as SmartAssembly, to protect its code and evade detection. It also employs the use of reversed, compressed, and encrypted payloads.”
  • [T1115] Clipboard Data – Clipboard monitoring to detect crypto addresses and replace them. Quote: “Regular Expressions to detect Crypto Addresses”
  • [T1113] Screen Capture – Takes a screenshot when a clipboard match occurs and exfiltrates it. Quote: “takes a screenshot of the victim’s screen and Exfiltrates it.”
  • [T1567] Exfiltration Over Web Service – Exfiltrates data via a Discord webhook. Quote: “exfiltrates both the victim’s and TA’s cryptocurrency addresses, along with the screenshot, using TA’s Discord webhook.”

Indicators of Compromise

  • [Hash] Dropper – 009c5048e9c55ca33fb930ce97e8c5e1, 88ba199aeb9b93ae28b4781edf7904c946763103 (MD5/SHA1) and fbfa233f980042bb92c121e38d9307ef9d48e842fa7c9bda09d9f89479df7771 (SHA256)
  • [Hash] ScHoster.exe – 43c29e5e42f4870fa4bbb30abad26012, 392ccfa22f19f6e466a973ac654e450a62391572, cfa592b0128bc126fbf3fb66c551a8d87223b196f5e0cd87e60b88bdc688c6e0
  • [URL] Phishing Site – hxxps[:]//torprojectdownloadfree.site
  • [URL] Phishing Payload – https://torprojectdownloadfree.site/confset.exe
  • [Domain] torprojectdownloadfree.site – referenced in phishing and payload delivery
  • [File Name] torbrowser-install-win64-12.5.3_ALL.exe – dropped as a legitimate Tor Installer
  • [File Name] ScHoster.exe – PureCrypter Loader
  • [File Name] Ovsfnx.dll – second-stage payload loaded at runtime

Read more: https://cyble.com/blog/fileless-pure-clipper-malware-italian-users-in-the-crosshairs/