Ethereum Threat Actors Part 2 — ClipboardWalletHijacker Malware Still Active.

Executive Summary

In part two of our mini-series (see part #1) describing how cybercrime actors are using the Ethereum blockchain for fraudulent means, we analyze a clipboard hijacker malware targeting Bitcoin and Ethereum users. This malware, renamed ClipboardWalletHijacker by Qihoo360 Security Center, was first discovered in June 2018, after having infected 300 thousand computers within a week.

Qihoo360 provided an Ethereum address (0x001D3416DA40338fAf9E772388A93fAF5059bFd5) and using this information, we pivoted off the address and obtained one variant of the binary we analyzed for this post: a6d3a5dac6c195d4d5e07fef218fd17b50d3384142af246fb6bc63114b54b613.

In this blogpost we provide a quick look at the binary’s behavior, while focusing our analysis on the hijacked Ethereum transactions. By doing this, we identify how much potential profit the author derives out of this malware, as well as, what crypto exchange the author used.

Quick ClipboardWalletHijacker Analysis

Binary information:

The overall Trojan behavior is the following:

  • Creates Mutex with unique name “llsdkj3e0pr
  • Creates and reads Registry keys
  • Monitoring continuously the content of the clipboard
  • Checks if the clipboard content is an Ethereum address and changes it
  • Checks if the clipboard is a Bitcoin address and changes it

Leveraging QuoLab’s Malware Tool, we find that the binary is composed of eight functions, three of which have been automatically identified by the tool as modifying sensitive data (Clipboard and Credential). These three functions are managing all the clipboard hijacking mechanisms (modification of clipboard content). Even further, the QuoLab malware tool found multiple binaries containing the exact same functions (Count column) meaning that we have in our database multiple variants of this malware in this case.

Image 1: QuoLab Malware Tool analysis

Looking at the malware start function, the string “0x001D3416DA40338fAf9E772388A93fAF5059bFd5” is pushed onto the stack before calling the sub_402072 function.

Image 2: Start function calling sub_402072 with Ethereum address as parameter in IDA Pro

This hardcoded string is a valid Ethereum address with proper upper and lower case variation of A-F hexadecimal letters checksum.

Image 3: Clipboard hijacking function decompiled with IDA Pro — Hex-Rays Decompiler

The function (sub_402072) is in charge of emptying the clipboard (EmptyClipboard WinAPI) and replaces its content with the hardcoded address (SetClipboardData WinAPI).

Hijacked Ethereum Transactions

So far, this Trojan has stolen about 24 Ether over a year, estimated to USD 10.000 at the time of writing. Further, at least 147 Ethereum token transactions have been hijacked as well, but not converts back from token to Ether by the malware author for the moment.

Image 4: List of 0x001D3416DA40338fAf9E772388A93fAF5059bFd5 transactions (02/04/2019) on etherscan.io

More than 35 Ethereum transactions have been hijacked since the June 2018 blogpost from Qihoo360, and, based on all the transactions (standard + ERC20 token), we can determine that over 180 unique Ethereum users have been robbed.

One alleged victim even wrote a comment on etherscan.io when they noticed an unusual behavior occurred when they did a copy paste (i.e. the clipboard hijacking process):

Image 5: Victim commentary on etherscan.io

Cryptocurrency Exchange Used by the Actor

Image 6: QuoLab fact tool analysis — Ethereum interactions

The malware author has routed the totality of his gain through nine different swap Ethereum addresses. Based on their transaction history, we note: (1) that these addresses were never used prior to the author using them for fraud; and (2) the addresses immediately transfer the stolen Ethers once the crypto was received. The analyzed payout transactions (listed below) lead ultimately to the same Ethereum address owned by the Swiss cryptocurrency exchange Bity.com.

List of payout transactions going to Bity.com:

The Bity exchange may be the preferred exchange for the Threat Actor due to its limited verification process for making transactions and conversions. For example, the exchange asks you to provide a phone number at minimum if you want to sell or convert cryptocurrency. However, this verification process can be bypassed using an online SMS receiver, for example. Additionally, Bity has a daily and yearly limit set to CHF 5.000 if the user profile is not complete, meaning that the malware author must provide some (probably fake) information to increase their limit.

Packers & Variants

During our research, we have found some variants of the malware containing the same hardcoded Ethereum address using different basic off the shelve packers such as UPX and ZProtect (hashes in “Indicator of Compromise”).

Image 7: QuoLab screenshot of the similarity between 2 variants of the malware

Focusing on the overlaps between this two samples, it is easy to identify similarities:

  • Same Ethereum address and not the same Bitcoin addresses
  • Eight functions on both binaries with 7/8 identical
  • Same import table

Conclusion

The ClipboardWalletHijacker malware is still active on Ethereum and Bitcoin exchanges with around BTC 1.6 stolen using at least the five Bitcoin address listed under “Indicator of Compromise”.

Clipboard wallet hijacking is a stealthy and long-term attack method since the infected users will possibly identify the infection post-mortem, only after having realized fraudulent cryptocurrency transfers occurred.

Image 8: Activity diagram of 0x001d3416da40338faf9e772388a93faf5059bfd5 on bloxy.info

The ClipboardWalletHijacker is rather profitable considering the skill level to program it is low since less than 100 lines of code are required.

This type of malware is also no longer limited to Windows Operating Systems since recent samples have been found on Android as well.

We hope that our analysis has provided some insight into actors leveraging and abusing crypto currencies and this attack vector in particular.

Your feedback is as always welcome!

Patrick Ventuzelo, Security Researcher at QuoScient

Twitter / Medium / LinkedIn

Indicator of Compromise

SHA-256:

  • a6d3a5dac6c195d4d5e07fef218fd17b50d3384142af246fb6bc63114b54b613
  • 4c31b103cec026af93e88c88b5dfeceabed3861ee0c19f15daeb5645e13fd530
  • 590124d08b68e45528f2db611adba930b603a66e231035e8353fb809eb2cc058
  • 91148c52430c091fb5dd0a129d27980e56cf652d4c855a2d52c85fc6755fc223
  • 16275d8caac80ebce22d81e10a940d785275634b8772e3cd36bab2ffe66b8dd9 (UPX)
  • f5054b5fde16c7fc4efa714916f316d7b4933a6962d49e8a39d596b7273622c1 (ZProtect)
  • cf78d93fdc893d3769932029dff0a56a6ce314c2d22fbb762570de8aa4776179 (UPX)

Mutex:

  • llsdkj3e0pr

Ethereum address:

  • 0x001D3416DA40338fAf9E772388A93fAF5059bFd5

Bitcoin addresses:

  • 13bRgHqz1PbYNsB9RmDJA2MJH9UnjgXZBh
  • 1QJ5MoUPTKF8f7pc5hK59nKtXBpDQaJP2v
  • 1Hz7TagSRtcRRAR5DjaoZ9r2NU4WZtbXBc
  • 19gdjoWaE8i9XPbWoDbixev99MvvXUSNZL (from Qihoo 360 blogpost)
  • 1FoSfmjZJFqFSsD2cGXuccM9QMMa28Wrn1 (from Qihoo 360 blogpost)