Clipper (Infostealer) – Malware

Overview

Clipper malware is a sophisticated and covert type of malware that specifically targets cryptocurrency users by manipulating clipboard data to steal funds. Emerging in 2017, the malware was initially found on Windows platforms before making its way to Android devices, where it posed an even greater threat due to the increasing use of smartphones for cryptocurrency transactions. The malware’s primary method of attack is deceptively simple yet highly effective: it monitors the clipboard for copied cryptocurrency wallet addresses and replaces them with one controlled by the attacker. As users copy and paste wallet addresses during transactions, they unknowingly send their funds to the cybercriminal instead of the intended recipient.

Clipper malware exploits the complexity of cryptocurrency addresses, which are typically long strings of random characters. This makes it nearly impossible for most users to visually detect a change in the address, especially if they’ve used the same wallet address repeatedly. The malware’s stealthy operation ensures that it remains undetected for extended periods, operating silently in the background and waiting for the right moment to strike. It’s this quiet, passive nature that makes Clipper so dangerous—its presence often goes unnoticed until the funds are long gone.

Targets

Individuals

How they operate

Upon infection, Clipper malware establishes itself by running in the background of an infected system. The malware typically gains entry through malicious downloads, phishing attacks, or compromised apps. Once installed, it begins its primary operation: monitoring the clipboard. As users copy and paste data, particularly cryptocurrency wallet addresses, the malware constantly scans the clipboard for any information related to Bitcoin or Ethereum wallet addresses. This is where the real danger lies — by altering the contents of the clipboard, Clipper replaces a legitimate wallet address with one under the control of the attacker. The victim may not notice the change, as wallet addresses are often long and contain random alphanumeric characters. By the time the user pastes the altered address into a cryptocurrency transaction, the funds are directed to the attacker’s wallet instead of the intended recipient.

One of the core technical features of Clipper malware is its ability to avoid detection. Unlike other types of malware that may communicate over the network or exhibit suspicious activity, Clipper operates largely in isolation, silently running in the background without alerting the user. The malware uses low-level code to access the clipboard, making its presence difficult to spot. Moreover, it does not engage in any significant network activity, which means it can evade detection by traditional network-based security tools. In some variants, Clipper may even camouflage itself by renaming its processes or utilizing less-known system directories to avoid being flagged by antivirus programs.

In addition to its clipboard-monitoring capabilities, some Clipper malware variants also seek persistence on the infected device. To do this, they may inject themselves into system processes or modify startup configurations, ensuring they are re-executed after a system reboot. This persistence mechanism allows the malware to operate continuously, monitoring clipboard activity and swapping wallet addresses whenever the opportunity arises. In some cases, the malware may even use anti-debugging techniques to thwart analysis by security researchers, further complicating efforts to detect and neutralize the threat.

In summary, Clipper malware operates on a highly technical level, manipulating clipboard data to facilitate fraudulent cryptocurrency transactions. Its stealthy nature, minimal network communication, and persistence mechanisms make it a significant threat to users, particularly those involved in cryptocurrency transactions. By remaining hidden and altering data in real-time, Clipper malware demonstrates the growing sophistication of cybercriminals targeting the digital currency market. For cryptocurrency users, staying vigilant and employing robust security practices are essential to avoid falling victim to this insidious form of attack.

MITRE Tactics and Techniques

Collection (TA0009)

Tactic Description: Clipper malware actively monitors the clipboard for any copied cryptocurrency wallet addresses, a form of collection. It collects sensitive data by monitoring and stealing information from the user’s clipboard.

Exfiltration (TA0010)

Tactic Description: Although Clipper malware does not exfiltrate data in the traditional sense, it effectively exfiltrates cryptocurrency funds by modifying the clipboard contents. The malware changes the copied wallet address to one controlled by the attacker, thus “exfiltrating” the funds when the victim sends cryptocurrency to the altered address.

Impact (TA0040)

Tactic Description: Clipper malware causes significant financial impact to its victims by enabling cybercriminals to hijack cryptocurrency transactions. The attacker achieves this by swapping the victim’s wallet address with one they control, ultimately redirecting funds to their account.

Persistence (TA0003)

Tactic Description: In some variants, Clipper malware establishes persistence on the victim’s device by injecting itself into the system or hiding in background processes. This allows it to run silently and continue its clipboard-monitoring activity even after the system is rebooted.

Defense Evasion (TA0005)

Tactic Description: Clipper malware evades detection by operating silently in the background and only modifying data when it detects specific target information, such as cryptocurrency wallet addresses. It avoids flagging by traditional security software, as it typically does not engage in noticeable or high-volume network activity.

References

• Clipper Malware: What Is It and How Does It Impact Android Users?