Clipper malware is designed to steal cryptocurrency from victims by replacing wallet addresses in the victim’s clipboard with wallet addresses that belong to the attacker. This stealthy technique is designed to silently trick the victim when making what appears to be a legitimate cryptocurrency transaction, which results in the attacker becoming the new recipient of that transaction. Although clipper malware isn’t necessarily a new threat, there have been limited public reports focused on clipper malware found in mobile applications. This report includes analysis of a recently discovered clipper malware targeting Windows, through which it delivers the Supreme botnet mining client and the Poullight information stealer.

Technical Details

Downloader:

The downloader is written in Microsoft .NET and has 28 out of 72 detections in VirusTotal at the time of writing.

Original File Name startwe.exe
File Size 381,952 bytes
MD5 ae341ba5357eb8f9627898d0f740609b
SHA256 d4864866becdce24241855de9af67c434007a9324b1b175a04020fd72e5e709b
Product Name BitCoin Clipper
Product Version 2.7.3.3
File Description BitCoin Clipper by BTCHit.me
Date/ Time Stamp (GMT) Saturday, 27 June 2020 05:34:06

Table 1: File metadata

When the downloader first starts it retrieves the system time, gets the users temp folder location, and then makes an outbound HTTP GET request to the domain download[.]btchit[.]me. At the time of analysis this domain was found to originate from an IP address in Moscow. As the HTTP request made was an unauthenticated request over port 80, a quick look at the source sub-domain revealed the following open directory listing hosting several malicious files.

When the downloader first starts it retrieves the system time, gets the users temp folder location, and then makes an outbound HTTP GET request to the domain download[.]btchit[.]me. At the time of analysis this domain was found to originate from an IP address in Moscow. As the HTTP request made was an unauthenticated request over port 80, a quick look at the source sub-domain revealed the following open directory listing hosting several malicious files.

Figure 1: Malicious files hosted in an open directory listing

As this sub-domain was open and accessible, a further lookup of the root domain revealed the following builder page shown below. This includes instructions for contacting the bot operator via Telegram, and selecting additional functions, in order to build and download the client component. Note that there are references to “NetHitBot” and “BTCHit”.

BTCHit builder page

Figure 2: BTCHit builder page

This domain was registered on 26 June 2020. This coincides with the dropper PE file date/time compilation date of 27 June 2020, which suggests that the malware, as well as the infrastructure to support it, has been built very recently. During the investigation a new domain with the same builder page was brought online using the domain name dviros[.]smabit[.]ru, which at the time of writing, points to an IP address located in Hesse, Germany.

Once the HTTP connection is established, control.exe, replacer.exe and network.exe files (shown in Figure 1) from the open directory are downloaded to the users %TEMP% folder and executed as net4contor.exe, net4replacer.exe, and net4network.exe respectively. The overall process flow can be seen below.

Process diagram from VMware Carbon Black Cloud Enterprise EDR

Figure 3: Process diagram from VMware Carbon Black Cloud Enterprise EDR

Supreme Botnet Mining Client

The net4contor.exe (named as control.exe in Figure 1) is a PE file written in Delphi that is protected by the Enigma Protector. Code hiding, anti-analysis, anti-sandbox, and import table modification are some of the features available with the commercially available Enigma Protector software protection tool. Notably, the embedded metadata, shown below, notes that the files were originally compiled with the name “netcommunity.exe”.

Original File Name netcommunity.exe
File Size 1,043,968 bytes
MD5 924bda3c9a8db75d80eca4a2eac3ff6e
SHA256 5831a117790aebc381c863d1c59e38164ba9c95c13f560f6f0e6e499a4c0f583
Product Version 6.6.6.6
Date / Time Stamp (GMT) Tuesday, 1 January 2019 17:09:59

Table 2: File metadata

Once this process starts, it will write a copy of itself into the ProgramData folder using a randomly generated character string for the folder name, and a name of a running process as the filename. The folder name is written in the format of a Globally Unique Identifier (GUID), but with invalid random characters. This could be in an attempt to make the folder look official, as that folder does contain GUID folders, but using invalid characters to ensure it doesn’t conflict with an existing folder. It will additionally write an identifier for an Alternate Data Stream into the same location. In the example below, we will refer to the malware as armsvc.exe.

C:\ProgramData\{VPXG6NAV-YIZX-MBDC-O3FTAM8NPJOQ}\armsvc.exe

C:\ProgramData\{VPXG6NAV-YIZX-MBDC-O3FTAM8NPJOQ}\armsvc.exe:zone.identifier

The net4contor.exe executable immediately runs the scheduled task command shown below. This creates a new scheduled task which runs every 15 minutes as the currently logged on user account.

“C:\Windows\System32\schtasks.exe” /Create /SC MINUTE /MO 15 /TN “P286S3MREM427FXLQI” /TR “C:\ProgramData\{VPXG6NAV-YIZX-MBDC-O3FTAM8NPJOQ}\armsvc.exe” /F

Finally, as shown in the command line below, the executable will kill the net4contor.exe process and delete its file.

“C:\Windows\System32\cmd.exe” /c taskkill /im net4contor.exe /f & erase C:\Users\<user>\AppData\Local\Temp\net4contor.exe & exit

After deletion, the dropped C2 process starts and calls out to dashboard[.]btchit[.]me over TCP port 80 using standard Windows HTTP Service API calls (using WinHttpOpen(), WinHttpConnect(), WinHttpOpenRequest(), WinHttpSendRequest(), WinHttpReceiveResponse(), etc) in the following sequence shown below.

1 – POST unique identifiers of the victim system’s, CPU and GPU version to dashboard[.]btchit[.]me/gate/update.php

First 71 bytes of HTTP POST request

Figure 4: First 71 bytes of HTTP POST request

2 – Check if mutex exists, and, if found, exit

3 – If mutex is not found, send POST of unique identifier to check client registration to dashboard[.]btchit[.]me/gate/connection.php

4 – If the identifier is not found, send POST to dashboard[.]btchit[.]me/gate/create.php

5 – If the connection is successful, the following response code will be returned, which is base64 encoded for the string “success”: c3VjY2Vzcw==

6 – XMRig CPU and GPU mining configuration is then received

XMRig default configuration example

Figure 5: XMRig default configuration example

7 – The following process monitoring applications are checked and, if found, terminated to prevent viewing process activity that may be causing high CPU/GPU activity: NetMonitor, Process Killer, KillProcess, System Explorer, Process Explorer, AnVir Task Manager and Process Hacker. In addition, if exe is detected, the CPU Miner thread will suspend itself in order to hide CPU activities in order to remain undetected for as long as possible.

8 – Send an HTTP POST of the following config to dashboard[.]btchit[.]me/gate/update.php

Partially redacted configuration information

Figure 6: Partially redacted configuration information

9 – Send an HTTP POST of the unique identifier and updates to api[.]foxovsky[.]ru/v1/checkLicense.php

One particular string found in the area of code pertaining to the C2 control is the “ddos” string, which infers that this client may have current or future functionality to download and install a DDoS module as part of targeted DDoS attacks.

Botnet client

Figure 7: Botnet client 

The net4replacer.exe is a heavily obfuscated executable that is also protected by the Enigma Protector.

Original File Name netcommunity.exe
File Size 937,984 bytes
MD5 995b58eca15bea70798ac29f5b0cd368
SHA256 6ee66ad45dcea6f6f02a7b43da0220908fcb1f80eb7f9d740f05acf64c410ed8
Product Version 6.6.6.6
Date / Time Stamp (GMT) Saturday 27 June 2020 05:26:47

Table 3: File metadata

The primary responsibility of this process is to drop a copy of itself into the users Roaming folder as svchost.exe. A scheduled task will be created to run this svchost.exe process every minute. Finally the choice command self-destroys the net4replacer.exe process.

“C:\Windows\System32\cmd.exe” /C choice /C Y /N /D Y /T 3 & Del “C:\Users\<user>\AppData\Local\Temp\net4replacer.exe” & schtasks /create /tn \rq5dhbgf\nquyb14p /tr C:\Users\<user>\AppData\Roaming\svchost.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f

Poullight Stealer:

The net4network.exe executable (network.exe in Figure 1) is also protected with the Enigma Protector.

Original File Name netcommunity.exe
File Size 978,944 bytes
MD5 ed81b7ab336d217d42136617f8f908af
SHA256 87698fa154be7f6563f1a653a02dd6a93e4fd62fa7bcee7ca3a1ed5366c5e7f7
Product Version 6.6.6.6
Date / Time Stamp (GMT) Wednesday 25 March 2020 03:49:15

Table 4: File metadata

This process crashes shortly after starting, which is the first, and only, visual indication to the end user that that malware may have attempted to run on the victim’s computer.

Process crash popup message box

Figure 8: Process crash popup message box

The net4network.exe process is essentially the Poullight Stealer, reported recently by Yoroi. This process steals the following information from the victim host, and writes numerous files to disk to record this data.

File Name File Type Data collected
System.txt Text file OS version, username, computer name, video card, CPU
Processlist.txt Text file Running processes
Copyboard.txt Text file Clipboard text
Screenshot.png PNG file Screenshot of desktop
Webcam.jpg JPG file Webcam image
Data.txt Text file Pidgin chat client logs
Cookies.txt Text file Google cookies

Additional clients that are used to steal from include: Discord, FileZilla, NordVPN, Skype, Steam, Telegram, Pidgin. It will also look for various cryptocurrency wallets which include: Bytecoin, Dash, Ethereum, BitCoin, Monero, and BitCoin-Qt.

In one of the files written is the following string.

Stealer by Nixscare, buy here: @nixscare (telegram)

This telegram account owner has a channel created under the alias shown below. This channel looks to have been active from mid-April 2020 until around mid-May.

Telegram channel by nixscare

Figure 9: Telegram channel by nixscare

This process makes a HTTP POST request to gate[.]btchit[.]me/gate.php followed by a HTTP GET request to ru-uid-507352920[.]pp[.]ru to download the file example.exe. This request fails with a 404 error, likely due to infrastructure changes. At the time of writing, this domain record location points to Makhachkala in the Republic of Dagestan, Russia.

At the time of writing, the site for Poullight Stealer is currently in a suspended state by the hosting provider.

Poullight Stealer site suspended

Figure 10: Poullight Stealer site suspended 

One further point to highlight is the Poullight configuration parameters. The original base64 encoded configuration is shown below in the fields of cpdata, ulfile, and mutex.

Base64 encoded configuration parameters

Figure 11: Base64 encoded configuration parameters

The configuration can be decoded to reveal the following:

Decoded configuration

Figure 12: Decoded configuration

One particular part of the above configuration that stands out is the string found within the cpdata tag. This tag contains the wallet address 12CNuKkKK1xLFoM9P58zWXkELMx1y51z6Y. At the time of writing, this BTC address has a total of 4 transactions that occurred between 5 and 7 November 2019. Each transaction contains nested hashes, with some of the largest transactions including amounts for $1237.42, $3324.05 and $9233.48. The nested hashes and their associated transactions still show signs of recent activity, with an example shown below in USD.

Nested transactions

Figure 13: Nested transactions

The tag cpdata infers that this is part of the clipboard data, which may be included as part of the BTC clipper functionality to siphon wallet addresses innocently copied/pasted by the victim.

Almost 300 samples on VirusTotal were found to include the cpdata tag, but one sample in particular contained the following name which could suggest a possible relationship between Poullight and Predator The Thief stealers.

Possible relationship between Predator The Thief stealer

Figure 14: Possible relationship between Predator The Thief stealer

The overall process activity from Cloud Enterprise EDR is shown below.

Screenshot of process execution flow

Remediation:

MITRE ATT&CK TIDs

TID Tactic Description
T1047 Execution Windows Management Instrumentation
T1053 Execution, Persistence, Privilege Escalation Scheduled Task
T1096 Defense Evasion NTFS File Attributes
T1497 Defense Evasion, Discovery Virtualization/Sandbox Evasion
T1143 Defense Evasion Hidden Window
T1045 Defense Evasion Software Packing
T1081 Credential Access Credentials in Files
T1083 Discovery File and Directory Discovery
T1063 Discovery Security Software Discovery
T1012 Discovery Query Registry
T1010 Discovery Application Window Discovery
T1082 Discovery System Information Discovery
T1105 Command and Control, Lateral Movement Remote File Copy
T1119 Collection Automated Collection
T1005 Collection Data from Local System
T1071 Command and Control Standard Application Layer Protocol

Indicators of Compromise (IOCs)

Indicator Type Context
d4864866becdce24241855de9af67c434007a9324b1b175a04020fd72e5e709b SHA 256 Dropper
ae341ba5357eb8f9627898d0f740609b MD5 Dropper
5831a117790aebc381c863d1c59e38164ba9c95c13f560f6f0e6e499a4c0f583 SHA 256 Net4contor.exe (Supreme Botnet Client)
924bda3c9a8db75d80eca4a2eac3ff6e MD5 net4contor.exe
87698fa154be7f6563f1a653a02dd6a93e4fd62fa7bcee7ca3a1ed5366c5e7f7 SHA 256 net4network.exe
ed81b7ab336d217d42136617f8f908af MD5 net4network.exe
6ee66ad45dcea6f6f02a7b43da0220908fcb1f80eb7f9d740f05acf64c410ed8 SHA 256 net4replacer.exe
995b58eca15bea70798ac29f5b0cd368 MD5 net4replacer.exe
80.87.193.46 IP Address TCP/80
download[.]btchit[.]me Domain Open Directory
dashboard[.]btchit[.]me Domain C2
btchit[.]me Domain Builder Page
dviros[.]smabit[.]ru Domain Builder Page
api[.]foxovsky[.]ru Domain C2
91.210.201.108 IP Address TCP/80
Ru-uid-507352920[.]pp[.]ru Domain C2
@nethitbot Telegram Account NetHit Builder
@nixscare Telegram Account Poullight Stealer
12CNuKkKK1xLFoM9P58zWXkELMx1y51z6Y Wallet Address Wallet Address

To learn more about the VMware Carbon Black Threat Analysis Unit (TAU), click here.