CyberWire Daily - Clipminer: Making millions off of malware. [Research Saturday]
Episode Date: August 20, 2022Dick O'Brien from Symantec, a part of Broadcom Software, joins Dave to discuss how the cyber-criminal operation, Clipminer Botnet, makes operators behind it at least $1.7 million. Symantec's research ...says "The malware being used, tracked as Trojan.Clipminer, has a number of similarities to another crypto-mining Trojan called KryptoCibule, suggesting it may be a copycat or evolution of that threat." Symantec determined that the malware has the ability to mine for cryptocurrency using compromised computers’ resources. They also share a way to protect against the cyber-criminal operation, as well as sharing some indicators you could be compromised. The research can be found here: Clipminer Botnet Makes Operators at Least $1.7 Million Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
Yeah, it's not the usual sort of thing that we investigate, but it is a kind of an interesting
threat.
The reason I say it's not the usual sort of thing we investigate is because in the greater scheme of things, it's by no means the world's biggest cybercrime operation. And I think
that has helped it fly a little bit under the radar. That's Dick O'Brien. He's a principal
editor at Symantec. The research we're discussing today is titled ClipMiner Botnet Makes Operators at Least $1.7 Million.
And now a message from our sponsor Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches
continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record
payout in 2024. These traditional security tools expand your attack surface with public-facing
IPs that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface,
making apps and IPs invisible, eliminating lateral movement,
connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context,
simplifying security management
with AI-powered automation,
and detecting threats using AI
to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization
with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
We saw it cropping up a few times
in customers' environments,
and we got curious,
and we decided to dig a little bit deeper
and look at it in depth
because while clipminer is known about and it's been talked about say in forums and in social
media nobody really kind of documented it fully so what is it well the first thing interesting
thing about clipminer is that it's um i guess it's a dual-pronged threat to describe it. So first of all, it's a crypto miner,
which means it will attempt to mine cryptocurrency on the infected computer.
It means they effectively steal the victim's computing resources from them.
But along with that, it's a crypto stealer.
And by that, I mean that if the victim is a cryptocurrency user,
it will attempt to steal some of their cryptocurrency.
It does this by modifying the contents of the clipboard on the computer to redirect payments.
So each time the clipboard is updated, it will scan the clipboard for cryptocurrency wallet addresses.
for cryptocurrency wallet addresses.
It's set up to identify address formats that are used by a lot of different cryptocurrencies.
And so if it spots something
that it thinks is a cryptocurrency wallet address,
it will replace it with the address of a wallet
that the attackers own themselves.
I guess what that means for the victim
is, well, imagine they want to pay somebody using their favorite form of cryptocurrency.
What they will do is that they will copy the address they need to send the payment to,
and then they'll paste it into their own wallet in order to send it. Except in this case, by the
time they paste it into their own wallet, it's replaced with another address and therefore the malware has managed to redirect the payment to the attackers.
cryptocurrency address formats that the malware is configured to scan for, it has a whole heap of different wallet addresses to choose from. And it will choose the address that matches the
prefix of the address to be replaced. So this way, unless the victim is really, really paying
attention to what is being pasted into their wallet, they may not notice the manipulation.
They may just look at the first few characters and think,
yeah, that's okay, and hit send.
Now, for us, once we started looking into ClipMiner,
one of the first questions that arose really was how much money that this is making.
And I think that can tell you a lot about the gravity
and the longevity of these kinds of threats
because the more money they're making,
the less likely it is to disappear
and the more likely it is that they're going to want
to build on data and make it bigger.
Calculating the earnings is always a little bit tricky
and time-consuming.
So, for example, to start with,
the malware was pre-configured with the addresses of over 4,000 wallets. That's 4,000 wallets controlled by the attackers
themselves. So we took a look at just Bitcoin and the Ethereum wallets, which were the majority
in fairness. And they contained a good amount of money. But we noticed a lot have been transferred
out into tumblers. And these effectively act as money launderers for cyber criminals using
cryptocurrency. And then if you factor the money that has already gone out of the wallets into
these tumblers, we reckoned that they'd made at least $1.7 million from the
clipboard hijacking alone in those currencies.
I should stress that it's $1.7 million at the time of writing, because as we all know,
cryptocurrencies have been hit with a pretty steep drop in value in recent weeks.
So their profits would probably only be intact if they'd cashed out into other real world currencies straight away.
But of course, they potentially made much more than this because we only made an estimate of the clipboard earnings.
The crypto miner earnings were way too complex to calculate in the time that we had.
You know, it's really an interesting point you bring up here that, first of all,
You know, it's really an interesting point you bring up here that, first of all, at $1.7 million could be considered not a whole lot of money relative to some of the other operators out there, right? Yeah, when you hear about ransomware groups making maybe hundreds of millions of dollars, you know, this is sort of the small leagues.
But nevertheless, like for anybody, $1.7 million is a fair amount.
anybody. $1.7 million is a fair amount. Yeah, and that's where I'm going with this,
which is, is there kind of this funny middle ground where if you're a ransomware operator,
can you operate in this space where you're still making a pretty good living for yourself, but there are a lot of shinier objects out there for law enforcement to try to track down?
It is something that I've been thinking about myself since we published this research. I don't
know whether it's by accident or design that the clipminer people have maybe hit on this sweet spot
where they still make good money, but are ardent conspicuous and as a result, don't have a target
on their back. But if it is by design, it's pretty clever not being so greedy that you don't have a target on their back. But if it is by design, it's pretty clever not being so greedy
that you don't stick your head above the parapet to a great degree.
What about the crypto mining side of things here?
Is there anything noteworthy about that part of it?
The crypto miner itself is a publicly available
Monero mining software called XMR Rig.
So that component, you know, it's a known thing and it's not by itself malicious.
You know, the malware that surrounds it, I think, is a little bit more interesting in that.
Like it's quite surreptitious in how it behaves,
tries to make sure that attention isn't drawn to the cryptocurrency mining.
So, for example, it will constantly scan for keyboard and mouse usage.
And this is to determine whether somebody is actively using the computer at the time.
And this is to determine whether somebody is actively using the computer at the time.
And if it decides that nobody's using it, then and only then will the miner kick in.
So obviously, you're going to make more money if it's mining all the time. But the user may notice a lag on the computer's performance.
And it also monitors for any analysis and troubleshooting tools running, and run one of the miner if they're running as well.
And I think, again, that's probably a bid to keep pretty low profile,
because the user may not be using the computer,
they may not have their hands on the keyboard,
but they may be running some sort of scanner diagnostic tool
which could pick up the mining activity.
So take me through how someone could find themselves infected with this.
How are they going after their victims?
We didn't see the complete attack chain ourselves,
but just going by what we've heard from third parties and things like that,
we think their main infection vector is trojanized downloads,
even pirated software, things like that.
What is contained within them,
the first evidence of infection we see
is the arrival of a self-extracting WinRAR archive
that drops on the computer.
It runs a downloader that's a DLL file, and then it connects to the
Tor network and it downloads the actual Clipminer payload itself. And then, of course, you want
Clipminer to stay running once it's on your computer. So it creates what you call persistence
by creating a scheduled task, which means every time the user reboots,
if they reboot, ClipMiner will restart.
And what are your recommendations
for folks to best protect themselves?
I mean, I guess, obviously,
don't download pirated software,
but beyond that.
Yeah, I mean, really, you know,
I mean, it is pretty obvious,
but like, you know, this is an illustration once again of like why you shouldn't be downloading any types of pirated content because like they tend to, you know, they're frequently of how your computer is behaving and performing.
And if you notice all of a sudden, like this, your computer is way more sluggish than it used to be and stuff like that, it probably does warrant further investigation.
It may not always be malicious, but it definitely warrants checking.
Do we have any idea who's behind this, what part of the world they're hailing from?
No, not in terms of what part of the world they're hailing from? No, not in terms of what part of the world they're hailing from.
We may have a little bit of an origin story or an origin hypothesis, because ClipBiner itself has been circulating since January of last year, January 2021. And it emerged shortly after a kind of similar threat called CryptoKibu. I think I'm,
I hope I'm pronouncing that correctly, but it was discovered by ESET. And when we looked at that,
it was actually quite similar to ClipMiner. We can't say they're exactly the same thing,
but they're very similar. So that left us with two hypotheses, either after the exposure by ESET at the end of 2020,
the actors behind this older threat may have decided to go back to the drawing board and launch a new tool in the form of ClipMiner. But then the other hypothesis is that somebody had come across this older threat
and decided to create ClipMiner
in its image or something similar.
Our thanks to Dick O'Brien
from Symantec for joining us.
The research is titled ClipMiner Botnet Makes Operators at Least $1.7 Million.
We'll have a link in the show notes.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Rachel Gelfand, Liz Ervin, Elliot Peltzman, Trey Hester, Brandon
Karpf, Eliana White, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Thanks for listening. We'll see you back here next week.