Clipper malware is designed to steal cryptocurrency from victims by replacing wallet addresses in the victim’s clipboard with wallet addresses that belong to the attacker. This stealthy technique is designed to silently trick the victim when making what appears to be a legitimate cryptocurrency transaction, which results in the attacker becoming the new recipient of that transaction. Although clipper malware isn’t necessarily a new threat, there have been limited public reports focused on clipper malware found in mobile applications. This report includes analysis of a recently discovered clipper malware targeting Windows, through which it delivers the Supreme botnet mining client and the Poullight information stealer.
Technical Details
Downloader:
The downloader is written in Microsoft .NET and has 28 out of 72 detections in VirusTotal at the time of writing.
| Original File Name | startwe.exe |
| File Size | 381,952 bytes |
| MD5 | ae341ba5357eb8f9627898d0f740609b |
| SHA256 | d4864866becdce24241855de9af67c434007a9324b1b175a04020fd72e5e709b |
| Product Name | BitCoin Clipper |
| Product Version | 2.7.3.3 |
| File Description | BitCoin Clipper by BTCHit.me |
| Date/ Time Stamp (GMT) | Saturday, 27 June 2020 05:34:06 |
Table 1: File metadata
When the downloader first starts it retrieves the system time, gets the users temp folder location, and then makes an outbound HTTP GET request to the domain download[.]btchit[.]me. At the time of analysis this domain was found to originate from an IP address in Moscow. As the HTTP request made was an unauthenticated request over port 80, a quick look at the source sub-domain revealed the following open directory listing hosting several malicious files.
![When the downloader first starts it retrieves the system time, gets the users temp folder location, and then makes an outbound HTTP GET request to the domain download[.]btchit[.]me. At the time of analysis this domain was found to originate from an IP address in Moscow. As the HTTP request made was an unauthenticated request over port 80, a quick look at the source sub-domain revealed the following open directory listing hosting several malicious files.](http://blogs.vmware.com/security/wp-content/blogs.dir/26/files/2020/07/Poullight_Figure1.png)
Figure 1: Malicious files hosted in an open directory listing
As this sub-domain was open and accessible, a further lookup of the root domain revealed the following builder page shown below. This includes instructions for contacting the bot operator via Telegram, and selecting additional functions, in order to build and download the client component. Note that there are references to “NetHitBot” and “BTCHit”.
Figure 2: BTCHit builder page
This domain was registered on 26 June 2020. This coincides with the dropper PE file date/time compilation date of 27 June 2020, which suggests that the malware, as well as the infrastructure to support it, has been built very recently. During the investigation a new domain with the same builder page was brought online using the domain name dviros[.]smabit[.]ru, which at the time of writing, points to an IP address located in Hesse, Germany.
Once the HTTP connection is established, control.exe, replacer.exe and network.exe files (shown in Figure 1) from the open directory are downloaded to the users %TEMP% folder and executed as net4contor.exe, net4replacer.exe, and net4network.exe respectively. The overall process flow can be seen below.
Figure 3: Process diagram from VMware Carbon Black Cloud Enterprise EDR
Supreme Botnet Mining Client
The net4contor.exe (named as control.exe in Figure 1) is a PE file written in Delphi that is protected by the Enigma Protector. Code hiding, anti-analysis, anti-sandbox, and import table modification are some of the features available with the commercially available Enigma Protector software protection tool. Notably, the embedded metadata, shown below, notes that the files were originally compiled with the name “netcommunity.exe”.
| Original File Name | netcommunity.exe |
| File Size | 1,043,968 bytes |
| MD5 | 924bda3c9a8db75d80eca4a2eac3ff6e |
| SHA256 | 5831a117790aebc381c863d1c59e38164ba9c95c13f560f6f0e6e499a4c0f583 |
| Product Version | 6.6.6.6 |
| Date / Time Stamp (GMT) | Tuesday, 1 January 2019 17:09:59 |
Table 2: File metadata
Once this process starts, it will write a copy of itself into the ProgramData folder using a randomly generated character string for the folder name, and a name of a running process as the filename. The folder name is written in the format of a Globally Unique Identifier (GUID), but with invalid random characters. This could be in an attempt to make the folder look official, as that folder does contain GUID folders, but using invalid characters to ensure it doesn’t conflict with an existing folder. It will additionally write an identifier for an Alternate Data Stream into the same location. In the example below, we will refer to the malware as armsvc.exe.
C:\ProgramData\{VPXG6NAV-YIZX-MBDC-O3FTAM8NPJOQ}\armsvc.exe
C:\ProgramData\{VPXG6NAV-YIZX-MBDC-O3FTAM8NPJOQ}\armsvc.exe:zone.identifier
The net4contor.exe executable immediately runs the scheduled task command shown below. This creates a new scheduled task which runs every 15 minutes as the currently logged on user account.
“C:\Windows\System32\schtasks.exe” /Create /SC MINUTE /MO 15 /TN “P286S3MREM427FXLQI” /TR “C:\ProgramData\{VPXG6NAV-YIZX-MBDC-O3FTAM8NPJOQ}\armsvc.exe” /F
Finally, as shown in the command line below, the executable will kill the net4contor.exe process and delete its file.
“C:\Windows\System32\cmd.exe” /c taskkill /im net4contor.exe /f & erase C:\Users\<user>\AppData\Local\Temp\net4contor.exe & exit
After deletion, the dropped C2 process starts and calls out to dashboard[.]btchit[.]me over TCP port 80 using standard Windows HTTP Service API calls (using WinHttpOpen(), WinHttpConnect(), WinHttpOpenRequest(), WinHttpSendRequest(), WinHttpReceiveResponse(), etc) in the following sequence shown below.
1 – POST unique identifiers of the victim system’s, CPU and GPU version to dashboard[.]btchit[.]me/gate/update.php
Figure 4: First 71 bytes of HTTP POST request
2 – Check if mutex exists, and, if found, exit
3 – If mutex is not found, send POST of unique identifier to check client registration to dashboard[.]btchit[.]me/gate/connection.php
4 – If the identifier is not found, send POST to dashboard[.]btchit[.]me/gate/create.php
5 – If the connection is successful, the following response code will be returned, which is base64 encoded for the string “success”: c3VjY2Vzcw==
6 – XMRig CPU and GPU mining configuration is then received
Figure 5: XMRig default configuration example
7 – The following process monitoring applications are checked and, if found, terminated to prevent viewing process activity that may be causing high CPU/GPU activity: NetMonitor, Process Killer, KillProcess, System Explorer, Process Explorer, AnVir Task Manager and Process Hacker. In addition, if exe is detected, the CPU Miner thread will suspend itself in order to hide CPU activities in order to remain undetected for as long as possible.
8 – Send an HTTP POST of the following config to dashboard[.]btchit[.]me/gate/update.php
Figure 6: Partially redacted configuration information
9 – Send an HTTP POST of the unique identifier and updates to api[.]foxovsky[.]ru/v1/checkLicense.php
One particular string found in the area of code pertaining to the C2 control is the “ddos” string, which infers that this client may have current or future functionality to download and install a DDoS module as part of targeted DDoS attacks.
Figure 7: Botnet client
The net4replacer.exe is a heavily obfuscated executable that is also protected by the Enigma Protector.
| Original File Name | netcommunity.exe |
| File Size | 937,984 bytes |
| MD5 | 995b58eca15bea70798ac29f5b0cd368 |
| SHA256 | 6ee66ad45dcea6f6f02a7b43da0220908fcb1f80eb7f9d740f05acf64c410ed8 |
| Product Version | 6.6.6.6 |
| Date / Time Stamp (GMT) | Saturday 27 June 2020 05:26:47 |
Table 3: File metadata
The primary responsibility of this process is to drop a copy of itself into the users Roaming folder as svchost.exe. A scheduled task will be created to run this svchost.exe process every minute. Finally the choice command self-destroys the net4replacer.exe process.
“C:\Windows\System32\cmd.exe” /C choice /C Y /N /D Y /T 3 & Del “C:\Users\<user>\AppData\Local\Temp\net4replacer.exe” & schtasks /create /tn \rq5dhbgf\nquyb14p /tr C:\Users\<user>\AppData\Roaming\svchost.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
Poullight Stealer:
The net4network.exe executable (network.exe in Figure 1) is also protected with the Enigma Protector.
| Original File Name | netcommunity.exe |
| File Size | 978,944 bytes |
| MD5 | ed81b7ab336d217d42136617f8f908af |
| SHA256 | 87698fa154be7f6563f1a653a02dd6a93e4fd62fa7bcee7ca3a1ed5366c5e7f7 |
| Product Version | 6.6.6.6 |
| Date / Time Stamp (GMT) | Wednesday 25 March 2020 03:49:15 |
Table 4: File metadata
This process crashes shortly after starting, which is the first, and only, visual indication to the end user that that malware may have attempted to run on the victim’s computer.
Figure 8: Process crash popup message box
The net4network.exe process is essentially the Poullight Stealer, reported recently by Yoroi. This process steals the following information from the victim host, and writes numerous files to disk to record this data.
| File Name | File Type | Data collected |
| System.txt | Text file | OS version, username, computer name, video card, CPU |
| Processlist.txt | Text file | Running processes |
| Copyboard.txt | Text file | Clipboard text |
| Screenshot.png | PNG file | Screenshot of desktop |
| Webcam.jpg | JPG file | Webcam image |
| Data.txt | Text file | Pidgin chat client logs |
| Cookies.txt | Text file | Google cookies |
Additional clients that are used to steal from include: Discord, FileZilla, NordVPN, Skype, Steam, Telegram, Pidgin. It will also look for various cryptocurrency wallets which include: Bytecoin, Dash, Ethereum, BitCoin, Monero, and BitCoin-Qt.
In one of the files written is the following string.
Stealer by Nixscare, buy here: @nixscare (telegram)
This telegram account owner has a channel created under the alias shown below. This channel looks to have been active from mid-April 2020 until around mid-May.
Figure 9: Telegram channel by nixscare
This process makes a HTTP POST request to gate[.]btchit[.]me/gate.php followed by a HTTP GET request to ru-uid-507352920[.]pp[.]ru to download the file example.exe. This request fails with a 404 error, likely due to infrastructure changes. At the time of writing, this domain record location points to Makhachkala in the Republic of Dagestan, Russia.
At the time of writing, the site for Poullight Stealer is currently in a suspended state by the hosting provider.
Figure 10: Poullight Stealer site suspended
One further point to highlight is the Poullight configuration parameters. The original base64 encoded configuration is shown below in the fields of cpdata, ulfile, and mutex.
Figure 11: Base64 encoded configuration parameters
The configuration can be decoded to reveal the following:
Figure 12: Decoded configuration
One particular part of the above configuration that stands out is the string found within the cpdata tag. This tag contains the wallet address 12CNuKkKK1xLFoM9P58zWXkELMx1y51z6Y. At the time of writing, this BTC address has a total of 4 transactions that occurred between 5 and 7 November 2019. Each transaction contains nested hashes, with some of the largest transactions including amounts for $1237.42, $3324.05 and $9233.48. The nested hashes and their associated transactions still show signs of recent activity, with an example shown below in USD.
Figure 13: Nested transactions
The tag cpdata infers that this is part of the clipboard data, which may be included as part of the BTC clipper functionality to siphon wallet addresses innocently copied/pasted by the victim.
Almost 300 samples on VirusTotal were found to include the cpdata tag, but one sample in particular contained the following name which could suggest a possible relationship between Poullight and Predator The Thief stealers.
Figure 14: Possible relationship between Predator The Thief stealer
The overall process activity from Cloud Enterprise EDR is shown below.
Remediation:
MITRE ATT&CK TIDs
| TID | Tactic | Description |
| T1047 | Execution | Windows Management Instrumentation |
| T1053 | Execution, Persistence, Privilege Escalation | Scheduled Task |
| T1096 | Defense Evasion | NTFS File Attributes |
| T1497 | Defense Evasion, Discovery | Virtualization/Sandbox Evasion |
| T1143 | Defense Evasion | Hidden Window |
| T1045 | Defense Evasion | Software Packing |
| T1081 | Credential Access | Credentials in Files |
| T1083 | Discovery | File and Directory Discovery |
| T1063 | Discovery | Security Software Discovery |
| T1012 | Discovery | Query Registry |
| T1010 | Discovery | Application Window Discovery |
| T1082 | Discovery | System Information Discovery |
| T1105 | Command and Control, Lateral Movement | Remote File Copy |
| T1119 | Collection | Automated Collection |
| T1005 | Collection | Data from Local System |
| T1071 | Command and Control | Standard Application Layer Protocol |
Indicators of Compromise (IOCs)
| Indicator | Type | Context |
| d4864866becdce24241855de9af67c434007a9324b1b175a04020fd72e5e709b | SHA 256 | Dropper |
| ae341ba5357eb8f9627898d0f740609b | MD5 | Dropper |
| 5831a117790aebc381c863d1c59e38164ba9c95c13f560f6f0e6e499a4c0f583 | SHA 256 | Net4contor.exe (Supreme Botnet Client) |
| 924bda3c9a8db75d80eca4a2eac3ff6e | MD5 | net4contor.exe |
| 87698fa154be7f6563f1a653a02dd6a93e4fd62fa7bcee7ca3a1ed5366c5e7f7 | SHA 256 | net4network.exe |
| ed81b7ab336d217d42136617f8f908af | MD5 | net4network.exe |
| 6ee66ad45dcea6f6f02a7b43da0220908fcb1f80eb7f9d740f05acf64c410ed8 | SHA 256 | net4replacer.exe |
| 995b58eca15bea70798ac29f5b0cd368 | MD5 | net4replacer.exe |
| 80.87.193.46 | IP Address | TCP/80 |
| download[.]btchit[.]me | Domain | Open Directory |
| dashboard[.]btchit[.]me | Domain | C2 |
| btchit[.]me | Domain | Builder Page |
| dviros[.]smabit[.]ru | Domain | Builder Page |
| api[.]foxovsky[.]ru | Domain | C2 |
| 91.210.201.108 | IP Address | TCP/80 |
| Ru-uid-507352920[.]pp[.]ru | Domain | C2 |
| @nethitbot | Telegram Account | NetHit Builder |
| @nixscare | Telegram Account | Poullight Stealer |
| 12CNuKkKK1xLFoM9P58zWXkELMx1y51z6Y | Wallet Address | Wallet Address |
To learn more about the VMware Carbon Black Threat Analysis Unit (TAU), click here.
