| Name | Laplas |
| Type of Malware | Clipper |
| Location – Country of Origin | Russia |
| Date of initial activity | 2022 |
| Associated Groups | APT28 ( Fancy Bear, Sofacy ), APT34 ( Nobelium, Cozy Bear ) Lazarus Group ( Hidden Cobra ) |
| Motivation | The goal of clipper malware like Laplas is to hijack a virtual currency transaction intended for a legitimate recipient to a wallet owned by the threat actor. |
| Attack Vectors | Phishing emails, Malware-infected websites, Drive-by download, USB drives, P2P file sharing |
| Targeted System | Windows, macOS, Linux, Android, iOS |
Overview
Laplas is a clipper malware that spreads via other malware. Currently, the downloader SmokeLoader is spreading Laplas via phishing emails that contain malicious documents.
Targets
- Cryptocurrency users
- Government and military organizations
- Financial institutions
- Businesses Individuals
Tools/ Techniques Used
This malware hijacks a cryptocurrency transaction by swapping a victim’s wallet address with the wallet address owned by TAs.
Impact / Significant Attacks
In November 2022, Laplas malware was used to steal cryptocurrency from a number of victims. The malware was delivered through phishing emails that appeared to be from a legitimate cryptocurrency exchange. When victims opened the emails, they were tricked into clicking on a malicious link that installed the malware on their computers. The malware then stole the victims’ cryptocurrency wallet addresses and passwords, which were then used to steal their cryptocurrency.
In December 2022, Laplas malware was used to attack a number of government and military organizations in the United States. The malware was delivered through spear phishing emails that targeted specific individuals at these organizations. When the victims opened the emails, they were tricked into clicking on a malicious link that installed the malware on their computers. The malware then stole the victims’ sensitive information, such as passwords, credit card numbers, and government clearances.
In January 2023, Laplas malware was used to attack a number of financial institutions in Europe. The malware was delivered through phishing emails that appeared to be from a legitimate financial institution. When victims opened the emails, they were tricked into clicking on a malicious link that installed the malware on their computers. The malware then stole the victims’ banking information, which was then used to steal their money.
Indicators of Compromise (IoCs)
Domains
Clipper[.]guru
IPs
185[.]223[.]93[.]251
188[.]34[.]207[.]137
45[.]159[.]189[.]105
79[.]137[.]199[.]252
