New variants of the Clipper malware have emerged, targeting individuals engaged in cryptocurrency transactions. These variants are designed to replace users’ credentials with the wallet address of scammers, allowing them to steal funds being transferred. The malware utilizes the clipboard to copy the data pasted on it, which users are being urged not to leave their crypto wallet credentials on.
Several Clipper malware variants, including Atlas clipper, Keyzetsu clipper, and KWN clipper, have been discovered by Cyble Research and Intelligence Labs (CRIL) on the Telegram channel of cyber criminals. Users are likely being lured into this campaign through phishing emails. The Atlas clipper variant, for example, is being advertised on the dark web and can store up to seven crypto wallet addresses. The reduced cost for this variant is $50, and it can delete itself after the fraudulent transaction is completed.
Researchers have analyzed the code of these malware variants to gain insights into their workings. The Atlas clipper variant, for instance, uses functions like OpClipboard(), GetClipboardFormatAvailable(), SetClipboardData(), and CloseClipboard() to initiate the clipper operation, retrieve clipboard data, replace it with a new value, and release the clipboard, respectively. After deleting the executable file, the malware stays on the system for further fraudulent transactions.
The Keyzetsu clipper variant, on the other hand, can store over 12 cryptocurrency wallet addresses and also relies on a Telegram channel for its command and control server. It evades detection by sleeping in the beginning and uses a mutex to ensure only one instance of the malware runs on a system. Similar to the Atlas clipper, it also looks for clipboard data.
Another variant, the KWN clipper, was found to be a 64-bit executable file in the Go language. It also accesses clipboard information to perform fraudulent transactions.
To mitigate the risk of cyber attacks via Clipper malware variants, researchers recommend checking the authenticity of the source before submitting cryptocurrency wallet data, changing passwords regularly and using strong passwords, opting for high-security login processes like OTPs and multi-factor authentication, keeping software updated, and using credible antivirus software for regular checkups to detect and remove malware promptly.
It is important for cryptocurrency users to stay vigilant and take necessary precautions to protect their assets from these evolving malware variants.