Analysis Summary

A cryptocurrency exchange has issued a warning about a persistent global threat that uses clipper malware to target cryptocurrency users in an attempt to facilitate financial crime.

Microsoft refers to clipper malware, also known as ClipBankers, as cryware. It can track a victim's clipboard activities and obtain private information that a user copies, including the ability to swap out cryptocurrency addresses with ones that are controlled by an attacker. By doing this, transfers of digital assets started on a compromised system are sent to a rogue wallet rather than the correct location.

During clipping and switching, a cryware keeps track of what is on the user's clipboard and searches for and recognizes strings that resemble hot wallet addresses using string search patterns. The attacker's address is substituted for the object in the clipboard by the cryware if the target user copies something or presses CTRL + V within an application window. In a September 13 advisory, the cryptocurrency exchange stated that it has been monitoring a widespread malware threat that aims to replace cryptocurrency wallet addresses by intercepting data stored in the clipboard.

There has been a noticeable increase in activity around this issue, especially on August 27, 2024, which has caused impacted users to suffer large financial losses. Unofficial apps and plugins are a common way for the malware to spread, particularly on Android and online apps, but iOS users should also exercise caution. There is evidence to imply that consumers unintentionally install these malicious apps when looking for software through unofficial channels or in their native languages, mostly because of national constraints.

To stop more fraudulent transactions, the company said it is blocking the attacker addresses and has alerted the impacted users, warning them to look out for any indications of dubious software or plugins. In addition to cautioning users against downloading software from unapproved sources, the company advises being cautious while installing apps and plugins and making sure they are genuine.

The overall illegal activity on-chain has decreased by almost 20% year so far, according to data released last month by a blockchain analytics company, although inflows of stolen assets have almost quadrupled from $857 million to $1.58 billion. The U.S. Federal Bureau of Investigation (FBI) says that 2023 broke records for cryptocurrency fraud, with losses totaling over $5.6 billion—a 45% rise over the year before. The United States accounted for the great majority of losses with a cryptocurrency connection, with the Cayman Islands, Mexico, Canada, the United Kingdom, India, Australia, Israel, Germany, and Nigeria following closely after.

Impact

• Sensitive Data Theft
• Financial Loss
• Cryptocurrency Theft
• Cyber Espionage

Remediation

• Regularly change passwords for all accounts and use strong, unique passwords for sensitive accounts.
• Carefully check the URLs before entering credentials or downloading software.
• Implement multi-factor authentication (MFA) on all accounts to add an extra layer of security to login processes.
• Consider the use of phishing-resistant authenticators to further enhance security. These types of authenticators are designed to resist phishing attempts and provide additional protection against social engineering attacks.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.
• Never trust or open links and attachments received from unknown sources/senders.