Hackers attack hackers by spreading malware on underground forums

Information security specialists have discovered new evidence that hackers often attack hackers, their own “colleagues in the shop.” The malware, which was distributed on hack forums under the guise of hacked RATs and tools for creating malware, stole data from the clipboard.

Malware that steals or replaces data in the clipboard (often called clippers) is usually used to detect the addresses of cryptocurrency wallets in the clipboard in order to replace them with addresses belonging to the malware operator. This tactic allows attackers to immediately intercept financial transactions and send money to their accounts.

The first malware on underground resources (for example, Russia black hat) was noticed by ASEC researchers. The attackers lured novice hackers with hacked versions of the BitRAT and Quasar RAT remote access trojans, which typically sell for between $20 and $100.

Hackers attack hackers

If you download any of the suggested files, you will be redirected to the Anonfiles page, which provides a RAR archive that is supposedly the builder of the selected malware. In fact, the crack.exe file contained in these archives is a ClipBanker installer that only copies the malicious binary to the startup folder and launches it on the first reboot.

ClipBanker is a malware that monitors the clipboard of the infected system. If a string for a coin wallet address is copied, the malware changes it to the address designated by the attacker.ASEC specialists said.

Hackers attack hackers

The second message about malware came from Cyble experts, who discovered an offer on a hack forum for a free month of using AvD Crypto Stealer.

In one of the scenarios, the malware creator can target other TA’s who use the builder for customizing the crypto stealer and their victims. This clipper can do financial theft at a great level, so it becomes necessary to take preventive measures.Cyble specialists noted.

Hackers attack hackers

In this case, the victims also allegedly downloaded the malware builder and ran the Payload.exe executable, assuming that this would give them free access to the AvD Crypto Stealer. In fact, this resulted in their systems being infected with a clipboard-stealing malware that was aimed at stealing Ethereum, Binance Smart Chain, Fantom, Polygon, Avalanche, and Arbitrum.

Cyble found that the bitcoin address hardcoded in this malware sample had already received about 1.3 BTC (approximately $54,000 at current exchange rates) through the interception of 422 other people’s transactions.

Let me remind you that we talked about the fact that Hackers broke into FBI mail server and sent fake cyberattack alerts, and also that Hackers Bypass Firewalls Using Windows Feature.