The malware known as Clipminer has earned cyberattackers $1.7 million in cryptocurrency mining and theft via clipboard hijacking so far – and it shows no signs of abating.
The Clipminer Trojan, which sports numerous similarities to the KryptoCibule cryptomining Trojan, was discovered by Symantec’s Threat Hunter Team. Its whole raison d'etre is to enable fraudulent cryptocurrency transactions.
The team determined that Clipminer is likely spread through Trojanized downloads of cracked or pirated software. The infection chain begins with a self-extracting WinRAR archive and then executes a downloader file, which connects to the Tor network to download Clipminer’s components.
The malware can redirect cryptocurrency transactions made on the infected computer by replacing cryptocurrency wallet addresses copied to a clipboard with new addresses under the control of the hacker. Clipminer uses addresses matching the prefix of the targeted original address to disguise the manipulation.
The team noted that the malware contains 4,375 unique addresses of wallets controlled by the attacker, of which the vast majority were used for just three different formats of Bitcoin addresses.
The malware also uses cryptocurrency-mixing services, known as tumblers, which can help hide the fund’s original source.
Dick O’Brien, principal editor for the Symantec Threat Intelligence Team, tells Dark Reading that one of the very first questions the team asked when it started looking at Clipminer was whether the person or people behind it are making any money. The answer was yes.
“That can really help you gauge how much of a threat this is,” he explains. “If it’s profitable, they’re not going to quit, and the odds are they’ll want to expand."
What’s interesting about Clipminer, he adds, is that it seems to tread the line between making good money while maintaining a relatively low profile.
“I don’t know whether that’s by accident or design,” O’Brien says. “It’s a relatively sophisticated botnet. It’s not just your average coinminer. It’s a dual-pronged threat since it’s also capable of stealing via clipboard hijacking. And the latter is done pretty stealthily.”
He points out that Clipminer goes to some lengths to disguise the fraudulent transactions and noted the group has thousands of payment addresses. It picks the one that most resembles a legitimate payment address for each victim.
“The obvious threat for enterprises is that any kind of coinminer is a drain on computing resources,” O’Brien says. “But beyond that, you don’t want any kind of botnet getting a foothold on your network. We’ve seen in the past how botnets can evolve and be repurposed to deliver other, more potent threats.”
All of the usual best practices apply to protect against these kinds of threats, he adds, but in this case avoiding nonlegitimate software resources is the best protection.
“You need to audit what software is running on your network, and any unauthorized software, whether it’s pirated or not, needs to be addressed,” he says.
The really interesting question at the moment is how cryptocurrency-mining threats are going to evolve in the near future, O’Brien says.
“We’ve seen a lot of instability in the cryptocurrency space and even speculation that we’ll see a major crash," he says. "Obviously if the coins are worthless or near worthless, there’s going to be less interest in mining them. But that's just the start of it. Any major upheaval will have a much wider impact. Crypto underpins the entire cybercrime ecosystem.”