This new malware diverts cryptocurrency payments to wallets controlled by attackers

New malware dubbed Keona Clipper aims to steal cryptocurrencies from infected computers and uses Telegram to increase its stealth. Learn more about what the Clipper malware threat is and how to protect against it.

Image: ~Amer~/Adobe Stock

What is clipper malware?

Clipper malware is software that, when run on a computer, continuously checks the contents of the user’s clipboard and searches for cryptocurrency wallets. If the user copies and pastes the wallet somewhere, it is replaced with another wallet owned by the cybercriminal.

This way, if an unsuspecting user uses an interface to send a cryptocurrency payment to a wallet, which is usually done by copying and pasting a legitimate destination wallet, they are replaced with the fraudulent wallet.

SEE: Password Breach: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)

Clipper malware is not a new threat, but it is unknown to most users and businesses. The first clipper malware appeared in 2017 on Windows operating systems. Such malware also appeared on the Google Play Store in 2019. This malware posed as MetaMask, a popular crypto wallet, and aimed to steal credentials and private keys to steal Ethereum funds from victims, in addition to changing wallets in the clipboard to get more cryptocurrency.

Clipper attacks work very well due to the length of cryptocurrency wallets. People transferring cryptocurrencies from their wallet to another seldom verify that the result of the copy/paste is the one provided by a legitimate recipient.

What is Keona Clipper?

Cyble researchers have analyzed a new Clipper malware named Keona Clipper by its developer (Figure A).

Figure A

Image: Cyble. Keona Clipper malware as advertised on a Russian-speaking Dark Web forum.

The malware is sold as a service for $49 for a month.

Keona Clipper was developed in the .NET programming language and protected by Confuser 1.x. This tool protects .NET applications by renaming symbols, obfuscating control flow, encrypting constants and resources, using protections against debugging, core dumping, tampering, and disabling decompilers, which makes analysis by reverse engineers more difficult.

Cyble researchers have been able to identify more than 90 different Keona samples since May 2022, showing wide deployment. The difference between these Keona samples could be slight changes in the code, or simply the result of multiple uses of the Confuser protector, which would generate a different binary each time a sample is submitted to avoid being detected by solutions of security based solely on the file signature. .

Anti-malware capabilities of Keona Clipper

Once executed, the malware communicates with an attacker-controlled Telegram bot through the Telegram API. The first communication from the malware to the bot contains a message written in Russian which can be translated as “the clipper has started on the computer” and contains the username of the user whose account is used by the malware.

The malware also ensures that it will always run, even if the computer restarts. To ensure this persistence, the malware copies itself to multiple locations, including the Administrative Tools folder and the Startup folder. Autostart entries in the Windows Registry are also created to ensure that the malware is executed each time the computer is restarted.

Keona Clipper then discreetly monitors any clipboard activity and uses regular expressions to check cryptocurrency wallets. Keona Clipper can steal over a dozen different cryptocurrencies: BTC, ETH, LTC, XMR, XLM, XRP, NEC, BCH, ZCASH, BNB, DASH, DOGE, USDT TRC20 and ADA coins.

If a wallet is found, it is immediately replaced in the clipboard with a wallet address provided by the threat actor.

A screenshot from Cyble shows a Bitcoin wallet controlled by the threat actor. This wallet is linked to 60 transactions, for a total amount of approximately $450 (Figure B).

Figure B

Image: Cyble. Transaction details for an attacker controlled bitcoin wallet.

Although this amount of money may seem quite small, attackers often use different wallets for different types of cryptocurrencies. This amount should therefore only be considered as part of the attacker’s financial gain.

How to protect yourself from this threat

Careful verification must be carried out for each payment made in cryptocurrency. Users must visually confirm the wallet used as the destination of the transaction by comparing the result of their copy/paste manipulation to the wallet provided by the seller.

Private keys and seeds for wallets should never be stored unsafely on any device. These should be stored encrypted, if possible, on a separate storage device or on a physical hardware wallet.

Security products must be deployed to detect the threat. Not knowing the initial propagation vector of Keona, we suspect that it could be e-mails. Email-based security must therefore be deployed. Users should also be made aware of email fraud and phishing.

Finally, the operating system and all the software running on it should always be updated and patched. In the event that the malware is dropped and executed on the system via the exploitation of a common exploit, a patched system is highly likely to stop the threat.

Disclosure: I work for Trend Micro, but the opinions expressed in this article are my own.

Comments are closed.