Distribution of ClipBanker Disguised as Malware Creation Tool

The ASEC analysis team has recently discovered a distribution of ClipBanker disguised as a malware creation tool. ClipBanker is a malware that monitors the clipboard of the infected system. If a string for a coin wallet address is copied, the malware changes it to the address designated by the attacker.

Such type of malware has been continuously distributed since the past.

The website that distributes ClipBanker is called ‘Russia black hat’ as shown below. It has various programs related to hacking, including malware creation tools.

Figure 1. Website that distributes ClipBanker

This means that the attacker is distributing both malware creation tools and malware to other attackers. As such, ClipBanker may be installed in the systems of the attackers who installed the tool.

The download page for each malware creation tool shows a description of the malware with the download URL displayed below. There are multiple malware posts in the website, but the explanations in this blog post are based on the post for Quasar RAT malware. The webpage for the malware has a brief description of Quasar RAT and a download link.

Figure 2. Webpage for downloading malware creation tool – 1
Figure 3. Webpage for downloading malware creation tool – 2

The links connect to Mirrored.to, anonfiles, and MEGA respectively, downloading the same rar compressed file.

Figure 4. Download page for anonfiles malware
Figure 5. Download page for MEGA malware

Decompressing the downloaded file will create a dropper developed with WinRAR Sfx. The dropper contains a malware creation tool for Quasar RAT and ClipBanker, creating files in the designated path as shown below when it run.

Figure 6. Running dropper

When decompressed, the dropper creates files related to the Quasar RAT builder and crack.exe on the designated path. Quasar RAT builder is “Quasar.exe”, and it is run normally as shown below.

Figure 7. ClipBanker created along with Quasar RAT builder

As malware creation tools may need verification like normal commercial software, malware builders that are publicly released are often cracked versions (Quasar RAT is an open source program and doesn’t need a crack version). As such, users who downloaded the tool might assume that the created “crack.exe” file is a normal crack tool.

Yet crack.exe is actually ClipBanker. The dropper ultimately runs crack.exe after creating it and then terminates itself, resulting in ClipBanker being run in the background regardless of the user’s intention. When crack.exe is run, it copies itself to the startup folder so that it can be run after reboot. It periodically monitors the clipboard to check if the user has copied the coin wallet address (meaning the wallet address is saved on the clipboard) and changes it to the attacker’s wallet address.

A coin wallet address normally has a certain form, but it is difficult to memorize as the string is long and complicated. Hence, users are likely to copy and paste the address when using it. Should the wallet address change at this stage, users who want to deposit money to a certain wallet may end up depositing it to a different wallet because the address is changed to that of the attacker’s wallet.

ClipBanker regularly monitors the clipboard and checks if the copied string matches the regular expression shown below. Coins targeted for the change in wallet address are Bitcoin, Ethereum, and Monero.

Figure 8. Regular expressions of wallet addresses

When the wallet address copied by the user matches the expressions, it will change to the address designated by the attacker.

  • Bitcoin wallet address: 3JMkKMnoYW1r1vWMrkKmjHmb1tPfZMajcm
  • Ethereum wallet address: 0x9399Caa2df99fb4F17b1D914d842711eBFf3e4F4
  • Monero wallet address: 8A9Wt3hrxTG8qXQFjeyNLkF9a9AJPfWWxSc6Fyv4suBe2xqZMGFbhrnMSRysAEYuT7LzpBsTYM4RJ8V2xWghttbNRG4Luiu
Figure 9. Settings data including the changed wallet addresses

Unlike previous ClipBanker, the current analysis target can change the clipboard and report wallet addresses that will be changed and the changed wallet addresses that the attacker designated to the C&C server. From the figure below, “Target Address” shows the initial wallet address, and “Changed With” shows the address modified by the malware. While the feature is not working normally as the current target didn’t set a C&C server, the attacker would be able to receive the result if the C&C server was set in advance.

Figure 10. Report for initial and changed wallet address

Though malware strains are normally distributed to normal users, there have been cases of the attacker preying upon other attackers that create and distribute malware, as seen above. Besides the fact that it is illegal to create and distribute malware, attempting to download a malware creation tool may result in malware infection.

AhnLab’s anti-malware software, V3, detects and blocks the malware above using the aliases below.

[File Detection]
– Dropper/Win.ClipBanker.C5014841 (2022.03.18.00)
– Malware/Win32.RL_Generic.C4356076 (2021.03.03.00)

[IOC]
Dropper MD5

– dbf17f8f9b86b81e0eee7b33e4868002

ClipBanker MD5
– d2092715d71b90721291a1d59f69a8cc

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

5 3 votes
Article Rating
guest
17 Comments
Inline Feedbacks
View all comments
trackback

[…] at ASEC noticed fake offers of clipboard stealers on hacking forums such as ‘Russia black hat.’ The […]

trackback

[…] at ASEC noticed fake offers of clipboard stealers on hacking forums such as ‘Russia black […]

trackback

[…] at ASEC noticed fake offers of clipboard stealers on hacking forums such as ‘Russia black […]

trackback

[…] acordo com a empresa de segurança ASEC, piratas mais experientes encontram-se a usar estas plataformas para tentar enganar novatos na […]

trackback

[…] de ASEC observaron ofertas falsas de secuestradores de portapapeles en foros de hacking en los que los delincuentes buscan atraer a […]

trackback

[…] de ASEC observaron ofertas falsas de secuestradores de portapapeles en foros de hacking en los que los delincuentes buscan atraer a […]

trackback

[…] de ASEC observaron ofertas falsas de secuestradores de portapapeles en foros de hacking en los que los delincuentes buscan atraer a […]

trackback

[…] из компаний ASEC и Cyble обнаружили на хакерских форумах предложения […]

trackback

[…] из компаний ASEC и Cyble обнаружили на хакерских форумах предложения […]

trackback

[…] из компаний ASEC и Cyble обнаружили на хакерских форумах предложения […]

trackback

[…] из компаний ASEC и Cyble обнаружили на хакерских форумах предложения […]

trackback

[…] из компаний ASEC и Cyble обнаружили на хакерских форумах […]

trackback

[…] из компаний ASEC и Cyble обнаружили на онлайновых сайтах заявления […]

trackback

[…] first malware on underground resources (for example, Russia black hat) was noticed by ASEC researchers. The attackers lured novice hackers with hacked versions of the BitRAT and […]

trackback

[…] Distribution of ClipBanker disguised as malware creation tool […]

trackback

[…] из компаний ASEC и Cyble обнаружили на хакерских форумах предложения […]

trackback

[…] Hakerzy atakują innych hakerów, dystrybuując na swoich forach malware […]