Clipminer malware gang stole $1.7M by hijacking crypto payments

Threat analysts have discovered a large operation of a new cryptocurrency mining malware called Clipminer that brought its operators at least $1.7 million from transaction hijacking.

According to researchers from Symantec, a Broadcom company, Clipminer is based on the KryptoCibule malware. Both trojans focus on stealing wallets, hijacking transactions, and mining cryptocurrency on infected machines.

The new trojan is named Clipminer by security researchers who mapped its operation, which had ballooned in size by the time of its discovery.

While analyzing this new operation, Symantec found 4375 cryptocurrency wallet addresses believed to have received stolen funds.

How Clipminer works

Clipminer drops on the host system as a WinRAR archive and extracts automatically to launch a control panel (.CPL) file that downloads a dynamic link library (.DLL).

The DLL creates a new registry value and places itself on “C:WindowsTemp” under a random file name. Its purpose is to profile the host and download and install the Clipminer payload from the Tor network.

The system ID is sent to the command and control server (C2) via an HTTP GET request over Tor, and a 10MB payload is received to “C:ProgramData”, or “C:Program Files (x86)”, or “[USERPROFILE]AppDataLocal”.

Upon execution, the malware creates scheduled tasks for persistence and also creates an empty registry key, likely as an infection marker to prevent re-infecting the same host, the researchers note in a report today.

Next, the payload starts a v3 Onion Service with a unique address and monitors all keyboard and mouse activity on the host machine. It also checks running processes to identify any analysis tools.

When there’s no activity on the host, suggesting that the user is away, Clipminer starts an XMRig Monero miner configured to use all available CPU threads. Since the machine is unsupervised, there’s no risk of system performance slow-downs giving away the infection.

In parallel, the malware constantly monitors the clipboard for copied cryptocurrency addresses and replaces them on-the-fly with others belonging to the attacker, thus diverting payments.

How Clipminer alters the wallet addresses copied by the user
How Clipminer alters the wallet addresses copied by the victim (Symantec)

How to stay safe

Symantec says the first samples of Clipminer started circulating around January 2021, while and the malicious activity picked up the pace in February.

Since then, the malware has been distributed via game and pirated software cracks, and spread on P2P networks, torrent indexers, or YouTube videos.

Avoid downloading software from obscure sources to minimize the chances of getting infected with Clipminer or other malware.

To protect yourself from any clipboard hijacker, check the pasted cryptocurrency wallet address before initiating the transaction.