{"id":109186,"date":"2023-03-28T10:00:08","date_gmt":"2023-03-28T10:00:08","guid":{"rendered":"https:\/\/kasperskycontenthub.com\/securelist\/?p=109186"},"modified":"2023-04-03T08:52:37","modified_gmt":"2023-04-03T08:52:37","slug":"copy-paste-heist-clipboard-injector-targeting-cryptowallets","status":"publish","type":"post","link":"https:\/\/securelist.com\/copy-paste-heist-clipboard-injector-targeting-cryptowallets\/109186\/","title":{"rendered":"Copy-paste heist or clipboard-injector attacks on cryptousers"},"content":{"rendered":"

It is often the case that something new is just a reincarnation of something old. We have come across a series of clipboard injection attacks on cryptocurrency users, which emerged starting from September 2022. Although we have written about a similar malware attack in 2017 in one of our blogposts<\/a>, the technique is still very relevant today as it doesn’t have any perfect solution from the perspective of operating system design. The only way to prevent such attacks is to be extremely cautious and attentive, or use a decent anti-malware solution to detect a piece of malicious code. As long as such attacks continue to thrive in the modern ecosystem of the cryptocurrency world, it’s worth explaining how they work and where the danger lies.<\/p>\n

In a nutshell, the attack relies on malware replacing part of the clipboard contents once it detects a wallet address in it.<\/p>\n

Past attacks<\/h2>\n

This technique of replacing clipboard contents is more than a decade old. It all started from banking trojans focused on specific banks and replacing bank account numbers in the clipboard. Here is a report<\/a> from CERT Polska that warned Polish users about such a threat targeting users of local banks in 2013. However, such attacks required detecting a particular internet banking environment, and their success depended also on other fields being filled correctly (i.e. bank SWIFT code, branch name, etc). Focusing on something global and provider-independent, such as a cryptocurrency wallet, made it much more efficient for cryptothieves. Adding increased value of cryptocurrencies made it a very lucrative target. So, this is where we started seeing the first<\/a> clipboard attacks on cryptocurrency owners. They were replicated and reused in other malware too. We even made a generic detection for some of such families, naming them Generic.ClipBanker<\/a>.<\/p>\n

Why it is dangerous<\/h2>\n

Despite the attack being fundamentally simple, it harbors more danger than would seem. And not only because it creates irreversible money transfers, but because it is so passive and hard to detect for a normal user. Just think of it, most malware is only efficient when there is a communication channel established between the malware operator and the victim’s system. Backdoors require a control channel, spying trojans require a way to pass stolen data, cryptominers need network communication too, etc. It’s only a small fraction of malware that exist on their own and do not require any communication channel. But this is the most dangerous and harmful kind: self-replicating malware, such as destructive viruses and network worms; ransomware that silently encrypts local files, and so on. While worms and viruses may not connect to the attacker’s control servers, they generate visible network activity, or increase CPU or RAM consumption. So does encrypting ransomware. Clipboard injectors, on the contrary, can be silent for years, show no network activity or any other signs of presence until the disastrous day when they replace a cryptowallet address.<\/p>\n

Another factor is detection of the malware payload. While most malware is discovered through an association with known bad infrastructure (IPs, domains, URLs), or when it automatically activates a malicious payload, clipboard injectors do not run their evil payload unless an external condition (the clipboard contains data of certain format) is met. This further lowers the chances of new malware being discovered through automatic sandboxing.<\/p>\n

Trojanized Tor Browser installers<\/h2>\n

Some recent developments in the use of this type of malware seek to abuse Tor Browser, a tool to access the dark web using the Onion protocol, also known as the Tor network. We relate this to the ban of Tor Project’s website in Russia at the end of 2021, which was reported<\/a> by the Tor Project itself. According to the latter, Russia was the second largest country by number of Tor users in 2021 (with over 300,000 daily users, or 15% of all Tor users). The Tor Project called to help keep Russian users connected to Tor to circumvent censorship. Malware authors heard the call and responded by creating trojanized Tor Browser bundles and distributing them among Russian-speaking users. The first variants appeared in December 2021, but only since August 2022 have we seen a larger wave of torbrowser_ru.exe malicious executables. The trojanized installers offered Tor Browser with a regional language pack, including Russian, as the file name suggests:<\/p>\n

\"Supported<\/a><\/p>\n

Supported languages in the trojanized installer<\/strong><\/em><\/p>\n

We have come across hundreds of similar installers that all behaved according to the following scenario:<\/p>\n

\"Trojanized<\/a><\/p>\n

Trojanized Tor Browser extracting and launching a malware payload<\/strong><\/em><\/p>\n

The target user downloads Tor Browser from a third-party resource and starts it as torbrowser.exe. The installer is missing a digital signature and is just a RAR SFX (self-extracting executable) archive. It contains three files:<\/p>\n