A clipper malware is a type of software that, once installed on a computer, continuously scans the contents of the user's clipboard for cryptocurrency wallets. If the user copies and pastes the wallet someplace, it gets substituted by the cybercriminal's wallet.
As a result, if an unknowing user uses any interface to transfer a cryptocurrency payment to a wallet, which is often done by copying and pasting a valid destination wallet, the legitimate wallet is substituted with the fake one.
Clipper malware is not a new issue, but it is unknown to the majority of individuals and businesses.
The first clipper malware surfaced on Windows operating systems in 2017. In 2019, the same malware was also discovered on the Google Play Store.
Clipper attacks are effective due to the duration of cryptocurrency wallets. People who transfer cryptocurrency from one wallet to another seldom double-check that the copy/paste result is the one given by a genuine receiver.
Cyble researchers examined a new Clipper malware termed Keona Clipper by its developer.
The malware is provided as a service for $49 per month.
Keona Clipper was written in the.NET programming language and is safeguarded by Confuser 1.x. This tool protects.NET applications by changing symbols, obfuscating control flow, encrypting constants and resources, employing anti-debugging, memory dumping, tampering, and disabling decompilers, making reverse engineering more difficult.
Since May 2022, Cyble researchers have identified over 90 distinct Keona samples, demonstrating widespread deployment. The discrepancy in those Keona samples might be due to minor changes in the code, or it could be the result of several usages of the Confuser protector, which generates a new binary each time a sample is provided to prevent detection by security solutions relying only on file signature.
Malware capabilities of Keona Clipper
Once launched, the malware uses the Telegram API to connect with an attacker-controlled Telegram bot. The malware's initial contact with the bot includes a message written in Russian that translates as "clipper has started on the computer" and the username of the user whose account is utilised by the malware.
The malware also ensures that it is always performed, even if the system is restarted. The malware copies itself to numerous areas, including the Administrative Tools folder and the Startup folder, to guarantee persistence. Autostart entries are also placed in the Windows registry to guarantee that the malware runs every time the computer restarts.
Keona Clipper then discreetly analyses clipboard activity and checks for bitcoin wallets using regular expressions.
BTC, ETH, LTC, XMR, XLM, XRP, NEC, BCH, ZCASH, BNB, DASH, DOGE, USDT TRC20, and ADA coins are among the cryptocurrencies that Keona Clipper can steal.
If a wallet is discovered, it is instantly replaced in the clipboard with a wallet address supplied by the threat actor.
How can one defend oneself against this danger?
Every bitcoin payment should be thoroughly scrutinised. By comparing the output of their copy/paste manipulation to the wallet given by the seller, users should visually authenticate the wallet utilised as the transaction's destination.
Private keys and wallet seeds should never be kept insecurely on any device. If feasible, keep these encrypted on a different storage device or in a physical hardware wallet.
To identify the danger, security solutions should be implemented. We don't know the first vector of propagation for Keona, but we think it was emailed, hence email-based protection must be deployed. Email fraud and phishing should also be made more visible to users.
Finally, the operating system and any software that runs on it should be maintained up to date and patched at all times. If the malware is dumped and executed on the system via a popular vulnerability, a patched system will almost certainly halt the danger.
