Researchers at Symantec’s Threat Hunter Team uncovered a cryptomining operation that has potentially made the actors behind it at least $1.7 million in illicit gains. The bot focuses on cryptocurrency mining and cryptocurrency theft via clipboard hijacking.
The malicious code, tracked by Symantec as Trojan.Clipminer, has many similarities to another cryptominer called KryptoCibule suggesting a possible rebranding of the same threat.
Clipminer was first spotted in early 2021, it likely spread via Trojanized downloads of cracked or pirated software.
The attack chain starts in the form of a self-extracting WinRAR archive that drops and executes a downloader in the form of a packed portable executable DLL file with CPL file extension (although it does not follow the CPL format). Then the downloader connects to the Tor network to download the components of the Clipminer.
The researchers discovered that the operators are controlling a total of 4,375 unique cryptowallet addresses, 3,677 of which are used for just three different formats of Bitcoin addresses.
“The malware includes a total of 4,375 unique addresses of wallets controlled by the attacker. Out of these, 3,677 addresses are used for just three different formats of Bitcoin addresses. Investigating just Bitcoin and Ethereum wallet addresses, we found that they, at the time of writing, contained approximately 34.3 Bitcoin and 129.9 Ethereum.” reads the analysis published by Symantec. “However, some funds had also been transferred to what appear to be cryptocurrency tumblers, also known as cryptocurrency mixing services.”
Experts estimated that Including the funds transferred out to cryptocurrency mixing services, the botnet operators have potentially made at least $1.7 million from clipboard hijacking alone.
“Clipminer has proven a successful endeavor, earning its operators a considerable amount of money.” concludes the report published by Symantec that also includes Indicators of Compromise (IoCs).
Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.
Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)
To nominate, please visit:
https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, cryptocurrency)
[adrotate banner=”5″]
[adrotate banner=”13″]
A critical vulnerability in the WordPress Automatic plugin is being exploited to inject backdoors and…
As cryptocurrencies have grown in popularity, there has also been growing concern about cybercrime involvement…
Healthcare service provider Kaiser Permanente disclosed a security breach that may impact 13.4 million individuals…
Over 1,400 CrushFTP internet-facing servers are vulnerable to attacks exploiting recently disclosed CVE-2024-4040 vulnerability. Over…
A ransomware attack on a Swedish logistics company Skanlog severely impacted the country's liquor supply. …
CISA adds Cisco ASA and FTD and CrushFTP VFS vulnerabilities to its Known Exploited Vulnerabilities…
This website uses cookies.