A bizarrely efficient botnet cryptocurrency miner has been revealed by Symantec security experts. Besides its classic mining function, it has a feature of clipboard hijacking, thence comes the name of this malware – “Clipminer.” That feature alone has brought its developers approximately $1.7M.
Let’s begin with the insertion. The Trojan-carried WinRAR archive originates from untrustworthy software downloads and self-extracts to activate a downloader via an executable DLL with a CPL extension. The film establishes a connection to Tor, and thus the assembly of the miner goes on. When the system is not in use, the malware activates the XMRig miner. Such selectivity allows for keeping the activity of the miner lowkey. The right time is when the movement of the mouse ceases and no keystrokes are detected. The malware will deploy a different mining program if the targeted computer has a graphics processing unit.
What Clipminer does besides stealing the targeted PC’s resources to throw them at cryptocurrency mining is that: it takes over a victim’s system’s clipboard. As soon as the user copies to the clipboard anything that resembles details of a cryptocurrency wallet (to send coins there), the Clipminer substitutes the desired numbers with one of the many account numbers at the disposal of crooks. The user hardly notices the replacement, let alone if there were many wallets, which would allow the felons to pick visually similar lines of characters. And there are! More than 4 thousand wallets are at the disposal of the criminals behind the malware in question, with over 3 thousand of these accounts supporting just the three types of Bitcoin. Clipminer recognizes at least 12 different cryptocurrency types. In the first days of June 2022, BTC and ETC wallets contained less than 34.3 and 129.9 coins, respectively.
The amount of $1.7M mentioned above includes the crypto passed through the so-called cryptocurrency tumblers, where coins from different places are being mixed so that it becomes impossible to trace whence they came.