Clipper.1 Analyzing a generic .NET Clipboard Hijacker
December 16, 2022
Getting your hands on malware C2s (for vulnerability research) isn’t easy without financing cybercrime groups. Thankfully, there’s a cheap solution: leaks! It isn’t exactly legal, but no threat actor would be brave/stupid enough to sue so it’s pretty safe. Scouring various barren forums is time-consuming, thankfully I have my own secret mushroom patch with an abundant supply of fresh malware (that I discovered thanks to @c3rb3ru5d3d53c on Twitter).
As shown in the screenshot above, the leaked tools are backdoored “for seacurity reason”. This blog post will detail the analysis of this backdoor.
The leaked tools come in the form of SFX archives bundled with a generic Clipper that is run when the archives are executed. The malware attempts to replace legitimate BTC, XMR and ETH addresses saved in the users’ clipboard with its own.
unrar can be used to extract the contents of the SFX archive without running the Trojan.
Infection chain #
SHA256(crack.exe): c3a6f41b0991f67f2a9cb77abea87ee06fb8e5c0f6db9b1ce6bc833dbe45c96c Mutex: pqdXXeEmLRGXHCg1 Crypto addresses - BTC: 1H8M6uYCSAquJuZjTjy33ruXs23hZy72E9 - XMR: 8AFcmXsQttSXuBeYCL9fpa2rn5JrDwwoihMerrwF48V7Ar1EKNTZyGa6G2tMFMhEZNEReroTLe2gPSMQw6VZLSD65AyBqzD - ETH: 0x9e60ca775c5c6c65e900795782be58e0de549615
Extracting the backdoor #
Leaked tools come in the form of RAR archives containing a single eponymous PE file. This file is, in fact, a Self-extracting RAR archive (SFX).
An SFX (SelF-eXtracting) archive is an archive merged with an executable module, which is used to extract files from the archive when executed. SFX archives come in either the RAR or ZIP format. A configuration file can be passed to the archive detailing commands to run when executed.
Thus, packaging malware in Self-extracting archives is analogous to regular droppers and is a technique that is far from recent.
Extraction of a 7zip SFX malware has been documented in this blog post by Tony Lambert and the analysis of a WinRAR SFX malware has been posted on the 0x00sec forum (sadly the images are no longer available).
The configuration file of SFX RAR archives can be viewed with WinRAR on Windows (
Open with WinRAR) and unrar on Linux (
unrar l archive.sfx | less). From the screenshot below we can see the leaked tools are packaged with a shortcut (harmless, used only for advertising) and a PE file (
crack.exe). The SFX archive’s
Setup runs this executable before extracting the archive so it must be the backdoor.
Extracting the leaked tool without infecting oneself is as simple as running
unrar twice: once on the original RAR archive and a second time on the SFX executable.
Analyzing the backdoor #
DIE indicates the backdoor is a small (18kb)
The malware lights VirusTotal up like a Christmas tree and gets recognised as
TrojanBanker. The backdoor’s
Assembly Name (
Crypto.exe) and the fact it calls
AddClipboardFormatListener seem to indicate the malware is a Clipboard Hijacker.
A Clipper/Clipboard Hijacker is a malware that replaces cryptocurrency wallet addresses saved in users’ clipboards with others owned by cyber criminals.
Opening the malware in
dnSpy reveals that the code is completely unobfuscated. On execution, the malware performs two preliminary actions before running. It first checks if a mutex exists (green), this is to ensure that only one instance of the malware can run at a given time. It then establishes persistence (blue) by copying itself to the Startup directory. After that, the program instantiates a
ClipboardNotification.NotificationForm and passes it to
NotificationForm sets the window as
Message-Only with a call to
SetParent (here’s are the different HWND constants) and subscribes to clipboard events.
NotificationForm overrides the
WndProc function (responsible for processing messages sent to a window) and waits for a Message with an ID number equal to
0x31D (WM_CLIPBOARDUPDATE). When it receives one, it checks if the clipboard contains a BTC address, if so it replaces it with its own address. This step is repeated for the Monero and Ethereum addresses.
Clipboard overrides both the
SetText methods of the
System.Windows.Forms.Clipboard class to have them run in a new thread before returning. The
SetText method however also exfiltrates the target address and the address it was changed with to a C2 via a GET request.
The different addresses, mutex value, C2 URL and configuration data are stored unencrypted in the
The second blog post in this series will be about coding a static config extractor for the Clipper. Stay tuned !