Home Upgrade Search Memberlist Extras Hacker Tools Award Goals Help Wiki Contact
Hack Forums Blog Py-Dev Threat Intelligence-Ep 4: Clipper

HF Rulez the UniverseHF Rulez the Universe
Py_Dev
[user@HF:]
Clipper RedTeam BlueTeam FUD banker trojan BTC LTC XMR XRP

Py-Dev Threat Intelligence-Ep 4: Clipper

Posted Mar 23, 2025 10:59 AM
[Image: Ao15uxN.gif]


Clipper Malware Breakdown: Inside a Real-World Crypto Clipboard Hijacker

[Image: h9AAT39.gif]

Overview

Cryptocurrency clipper malware is one of the simplest but most effective tactics used by financially motivated adversaries. The attack surface is simple: most crypto users copy/paste wallet addresses. Clipper malware hijacks this moment and silently replaces the clipboard contents with an attacker-controlled address.

In this post, we’ll dissect a live clipper sample called CoinClipper, analyze how it operates, and give both red team and blue team takeaways you can use in your engagements or defense.

[Image: h9AAT39.gif]


🔧 Technical Analysis

1. Initial Execution:
Upon launch, the binary executes a randomized sleep or CPU delay mechanism through the `Snoozy` class. This includes:
  • Thread.Sleep with variable delays
  • Progressive sleep with interleaved CPU load
  • CPU-bound loops using sqrt/log for anti-analysis
Red team note: This can help evade sandbox environments that trigger on fast behavior.

[Image: h9AAT39.gif]

2. Self-Replication & Persistence:
The malware checks `%APPDATA%\Microsoft\SystemData` and replicates itself there under a randomized name like `ServiceHost83dsx.exe`. A marker file (`installed.txt`) stores the path.

Startup persistence is achieved via:
  • PowerShell script that launches the replicated EXE
  • VBScript launcher dropped in the user's Startup folder

Red team note: This approach avoids direct registry modifications, helping avoid some AV triggers.

[Image: h9AAT39.gif]

3. Clipboard Hijack Engine:

The heart of the malware uses a hidden `Form` with `AddClipboardFormatListener` to listen for clipboard updates (via `WM_CLIPBOARDUPDATE`). When fired:
  • Current clipboard text is checked for known wallet patterns (BTC, ETH, XMR, etc.)
  • Matches are replaced using regex and static attacker-controlled addresses
  • If a change was made, clipboard content is overwritten with the replaced text

Supported cryptocurrencies:
  • Bitcoin (BTC)
  • Ethereum (ETH)
  • Tron (TRC20)
  • Litecoin (LTC)
  • Dogecoin (DOGE)
  • Monero (XMR)
  • Ripple (XRP)

Blue team note: Clipboard monitoring using `AddClipboardFormatListener` is a strong signal for userland malware behavior.

[Image: h9AAT39.gif]

4. Threading and Stealth:

The clipboard monitor runs in a background STA thread, keeping the main process quiet. The main loop simply idles with 10-second sleeps. No GUI, no output, no window—fully hidden.

[Image: h9AAT39.gif]

🔥 Red Team Tips

  1. OpSec Matters: Use randomized filenames and sleep delays to blend into user activity.
  2. Non-Invasive Persistence: Avoid registry changes; userland Startup folder + VBScript is often overlooked by EDRs.
  3. Regex Diversity: Regex-based swapping means you can expand to other formats (e.g., Solana, Cardano, BNB).
  4. Encrypted Config: For better OPSEC, load addresses from an encrypted JSON or remote config over C2.
  5. Pair with RATs: Combine this tool with a RAT to exfiltrate clipboard history or receive real-time swap logs.

[Image: h9AAT39.gif]

🛡️ Blue Team Tips

  1. Monitor Startup Folder: Watch for unexpected `.vbs` or `.ps1` scripts appearing in `%APPDATA%`, `%Startup%`, etc.
  2. Clipboard Hooks: Flag processes that register for `WM_CLIPBOARDUPDATE` but lack a GUI.
  3. Regex Matching: If clipboard text matches known crypto formats AND suddenly changes, that's a high-fidelity IOC.
  4. Behavioral Heuristics: A non-GUI app that sleeps, copies itself, creates scripts, and monitors the clipboard is highly suspicious.
  5. YARA Opportunity: Regex strings and PowerShell-in-VBS format are perfect YARA rule candidates.

[Image: h9AAT39.gif]

🔍 IOC Summary

Persistence Folder:
Code
%APPDATA%\Microsoft\SystemData\

Startup VBS File Example:
Code
powershell.exe -ExecutionPolicy Bypass -File "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\SystemData\\launch1234.ps1"

Clipboard Hook Usage:
Code
user32.dll!AddClipboardFormatListener

Regex Patterns (Crypto Addresses):
See codebase or Regex101 for samples.

[Image: h9AAT39.gif]

📦 Stay sharp.

CoinClipper is a solid representation of how modern clipboard stealers operate: fast, stealthy, and effective against unaware users. Despite the simplicity, these tools are very successful in the wild—especially when delivered via phishing or bundled in fake wallets/cracking tools.

Spoiler (Click to View)
RECENT ARTICLES
HF Rulez the Universe