The ASEC analysis team has recently discovered a distribution of ClipBanker disguised as a malware creation tool. ClipBanker is a malware that monitors the clipboard of the infected system. If a string for a coin wallet address is copied, the malware changes it to the address designated by the attacker.
Such type of malware has been continuously distributed since the past.
The website that distributes ClipBanker is called ‘Russia black hat’ as shown below. It has various programs related to hacking, including malware creation tools.
This means that the attacker is distributing both malware creation tools and malware to other attackers. As such, ClipBanker may be installed in the systems of the attackers who installed the tool.
The download page for each malware creation tool shows a description of the malware with the download URL displayed below. There are multiple malware posts in the website, but the explanations in this blog post are based on the post for Quasar RAT malware. The webpage for the malware has a brief description of Quasar RAT and a download link.
The links connect to Mirrored.to, anonfiles, and MEGA respectively, downloading the same rar compressed file.
Decompressing the downloaded file will create a dropper developed with WinRAR Sfx. The dropper contains a malware creation tool for Quasar RAT and ClipBanker, creating files in the designated path as shown below when it run.
When decompressed, the dropper creates files related to the Quasar RAT builder and crack.exe on the designated path. Quasar RAT builder is “Quasar.exe”, and it is run normally as shown below.
As malware creation tools may need verification like normal commercial software, malware builders that are publicly released are often cracked versions (Quasar RAT is an open source program and doesn’t need a crack version). As such, users who downloaded the tool might assume that the created “crack.exe” file is a normal crack tool.
Yet crack.exe is actually ClipBanker. The dropper ultimately runs crack.exe after creating it and then terminates itself, resulting in ClipBanker being run in the background regardless of the user’s intention. When crack.exe is run, it copies itself to the startup folder so that it can be run after reboot. It periodically monitors the clipboard to check if the user has copied the coin wallet address (meaning the wallet address is saved on the clipboard) and changes it to the attacker’s wallet address.
A coin wallet address normally has a certain form, but it is difficult to memorize as the string is long and complicated. Hence, users are likely to copy and paste the address when using it. Should the wallet address change at this stage, users who want to deposit money to a certain wallet may end up depositing it to a different wallet because the address is changed to that of the attacker’s wallet.
ClipBanker regularly monitors the clipboard and checks if the copied string matches the regular expression shown below. Coins targeted for the change in wallet address are Bitcoin, Ethereum, and Monero.
When the wallet address copied by the user matches the expressions, it will change to the address designated by the attacker.
- Bitcoin wallet address: 3JMkKMnoYW1r1vWMrkKmjHmb1tPfZMajcm
- Ethereum wallet address: 0x9399Caa2df99fb4F17b1D914d842711eBFf3e4F4
- Monero wallet address: 8A9Wt3hrxTG8qXQFjeyNLkF9a9AJPfWWxSc6Fyv4suBe2xqZMGFbhrnMSRysAEYuT7LzpBsTYM4RJ8V2xWghttbNRG4Luiu
Unlike previous ClipBanker, the current analysis target can change the clipboard and report wallet addresses that will be changed and the changed wallet addresses that the attacker designated to the C&C server. From the figure below, “Target Address” shows the initial wallet address, and “Changed With” shows the address modified by the malware. While the feature is not working normally as the current target didn’t set a C&C server, the attacker would be able to receive the result if the C&C server was set in advance.
Though malware strains are normally distributed to normal users, there have been cases of the attacker preying upon other attackers that create and distribute malware, as seen above. Besides the fact that it is illegal to create and distribute malware, attempting to download a malware creation tool may result in malware infection.
AhnLab’s anti-malware software, V3, detects and blocks the malware above using the aliases below.
– Dropper/Win.ClipBanker.C5014841 (2022.03.18.00)
– Malware/Win32.RL_Generic.C4356076 (2021.03.03.00)
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.