2019-04-12 Crypto/Clipboard Stealer Malspam

Yesterday I came across some malspam that I have not seen before and thought that I would do a quick entry for it.

This particular malware sits quietly in the background and looks for crypto currency addresses being copied and pasted between applications/pages. The interesting part of this is that once the user “pastes” the crypto address into the other application/tab, the address is changed to one that the bad actor controls. Playing around with this in my VM, I did not notice it sending anything outbound within Wireshark, and nothing came up in Process Explorer which kind of makes sense since all this is doing is changing the crypto address in memory for the paste. For a great explanation of what this type of malware is doing, check out Bleeping Computer’s article about it and also the embedded video.

And a huge thanks to @James_inthe_box for ID’ing this malware and pointing me in a better direction. Here is the Twitter thread for this particular sample.

For all the artifacts from this please see this repo. I have also provided a memory dump of the process in case anyone wants to play around with memory forensics. That can be found here.

Below are some of the strings that I found that matched up with what @James_inthe_box showed in the Twitter thread.

<Module>
out.exe
Program
Copier
MainClass
Clipboard
ChangedEventHandler
Base58CheckEncoding
ArrayExtensions
HexByteConvertorExtensions
Converter
IDigest
IMemoable
KeccakDigest
Pack
Sha3Keccack
mscorlib
System
Object
System.Windows.Forms
NativeWindow
MulticastDelegate
System.Threading
Mutex
mutex
Main
System.Collections.Generic
Dictionary`2
dictionary
Install
BchCharset
IsValidAddress
SetClipboard
ValidateEthAddress
ValidateCashAddress
ValidateBitcoinAddress
CheckCharSet
get_CH
set_CH
CH_Changed
.ctor
SetClipboardViewer
ChangeClipboardChain
SendMessage

Leave a Reply

Your email address will not be published.