ClipBanker Malware Tries to Stop Our Defence Tool CryptoClipWatcher

Innovation and Laboratory Area in ElevenPaths    4 August, 2020

The malware capable of modifying the clipboard to “switch” the crypto wallet still exists. To fight it, ElevenPaths developed CryptoClipWatcher, a tool that monitors the clipboard and alerts if there are any unnoticed changes. ClipBanker malware takes this into account and tries to stop the process before infecting.

The crypto clipboard hijacking technique has been common in malware for years. In 2018 we launched CryptoClipWatcher. Once installed, our tool will check whether, once a wallet or crypto address has been copied to the clipboard, it is changed before it is replaced with something else. We show here a video that explains how it works.

ClipBanker Trojan, built in .NET, has been detecting our tool for some time now and trying to stop it. The last known sample we have checked is from May 2020. Let’s see how it works.

How This Malware Works

As we have mentioned, this malware monitors the clipboard to steal cryptocurrencies, but also exfiltrates private keys from the Wallet Import Format (WIF) through IP logger. The interesting point is how it protects itself from being analysed or stopped. To check if it is running on a virtual machine, it uses WMIC to query BIOS information, in particular it uses the command “wmic bios” and search for words like VBOX, VirtualBox, XEN, qemu, bochs and VM.

To detect antiviruses, it also uses WMIC to ask Windows Security Center which products are available. The query is:

ManagementObjectSearcher(‘root\\SecurityCenter2’, ‘SELECT * FROM AntivirusProduct’)

And then it looks up our CCW.

In the following function called CCW, it looks for whether there is a process with a specific name stored in the variable ccwProcessName.

The variable is obfuscated:

This is a base64 string and XOR f952db5f-fac5-4f65-8d60-db225f0c1c26 has been applied to it in base64. Once resolved:

Our application runs with privileges in the system, so the process can only be stopped if the malware runs with those privileges as well.

This is the sample we have analysed: 5dd16f9e2351216d683038f772ef8ca07373eb04d4e97b3a031bb98c1dca25c9

Leave a Reply

Your email address will not be published. Required fields are marked *