Clipminer Botnet already allowed operators to make at least $1.7 Million

The Clipminer botnet allowed operators to earn at least $1.7 million, according to a report published by security researchers at Symantec.

Researchers at Symantec’s Threat Hunter Team uncovered a cryptomining operation that has potentially made the actors behind it at least $1.7 million in illicit gains. The bot focuses on cryptocurrency mining and cryptocurrency theft via clipboard hijacking.

The malicious code, tracked by Symantec as Trojan.Clipminer, has many similarities to another cryptominer called KryptoCibule suggesting a possible rebranding of the same threat.

Clipminer was first spotted in early 2021, it likely spread via Trojanized downloads of cracked or pirated software.

The attack chain starts in the form of a self-extracting WinRAR archive that drops and executes a downloader in the form of a packed portable executable DLL file with CPL file extension (although it does not follow the CPL format). Then the downloader connects to the Tor network to download the components of the Clipminer.

The researchers discovered that the operators are controlling a total of 4,375 unique cryptowallet addresses, 3,677 of which are used for just three different formats of Bitcoin addresses.

“The malware includes a total of 4,375 unique addresses of wallets controlled by the attacker. Out of these, 3,677 addresses are used for just three different formats of Bitcoin addresses. Investigating just Bitcoin and Ethereum wallet addresses, we found that they, at the time of writing, contained approximately 34.3 Bitcoin and 129.9 Ethereum.” reads the analysis published by Symantec. “However, some funds had also been transferred to what appear to be cryptocurrency tumblers, also known as cryptocurrency mixing services.”

Experts estimated that Including the funds transferred out to cryptocurrency mixing services, the botnet operators have potentially made at least $1.7 million from clipboard hijacking alone.

“Clipminer has proven a successful endeavor, earning its operators a considerable amount of money.” concludes the report published by Symantec that also includes Indicators of Compromise (IoCs).

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, cryptocurrency)

[adrotate banner=”5″]

[adrotate banner=”13″]