TAU Threat Discovery: Cryptocurrency Clipper Malware Evolves


Clipper malware is designed to steal cryptocurrency from victims by replacing wallet addresses in the victim’s clipboard with wallet addresses that belong to the attacker. This stealthy technique is designed to silently trick the victim when making what appears to be a legitimate cryptocurrency transaction, which results in the attacker becoming the new recipient of that transaction. Although clipper malware isn’t necessarily a new threat, there have been limited public reports focused on clipper malware found in mobile applications. This report includes analysis of a recently discovered clipper malware targeting Windows, through which it delivers the Supreme botnet mining client and the Poullight information stealer. ### Technical Details Downloader: The downloader is written in Microsoft .NET and has 28 out of 72 detections in VirusTotal at the time of writing. Original File Name | startwe.exe ---|--- File Size | 381,952 bytes MD5 | ae341ba5357eb8f9627898d0f740609b SHA256 | d4864866becdce24241855de9af67c434007a9324b1b175a04020fd72e5e709b Product Name | BitCoin Clipper Product Version | File Description | BitCoin Clipper by BTCHit.me Date/ Time Stamp (GMT) | Saturday, 27 June 2020 05:34:06 Table 1: File metadata When the downloader first starts it retrieves the system time, gets the users temp folder location, and then makes an outbound HTTP GET request to the domain **download[.]btchit[.]me**. At the time of analysis this domain was found to originate from an IP address in Moscow. As the HTTP request made was an unauthenticated request over port 80, a quick look at the source sub-domain revealed the following open directory listing hosting several malicious files. ![When the downloader first starts it retrieves the system time, gets the users temp folder location, and then makes an outbound HTTP GET request to the domain download\[.\]btchit\[.\]me. At the time of analysis this domain was found to originate from an IP address in Moscow. As the HTTP request made was an unauthenticated request over port 80, a quick look at the source sub-domain revealed the following open directory listing hosting several malicious files. ](https://cdn.www.carbonblack.com/wp-content/uploads/Poullight_Figure1.png) Figure 1: Malicious files hosted in an open directory listing As this sub-domain was open and accessible, a further lookup of the root domain revealed the following builder page shown below. This includes instructions for contacting the bot operator via Telegram, and selecting additional functions, in order to build and download the client component. Note that there are references to “NetHitBot” and “BTCHit”. ![BTCHit builder page](https://cdn.www.carbonblack.com/wp-content/uploads/Poullight_Figure2.png) Figure 2: BTCHit builder page This domain was registered on 26 June 2020. This coincides with the dropper PE file date/time compilation date of 27 June 2020, which suggests that the malware, as well as the infrastructure to support it, has been built very recently. During the investigation a new domain with the same builder page was brought online using the domain name **dviros[.]smabit[.]ru**, which at the time of writing, points to an IP address located in Hesse, Germany. Once the HTTP connection is established, **control.exe**, **replacer.exe** and **network.exe** files (shown in Figure 1) from the open directory are downloaded to the users %TEMP% folder and executed as **net4contor.exe**, **net4replacer.exe,** and **net4network.exe** respectively. The overall process flow can be seen below. ![Process diagram from VMware Carbon Black Cloud Enterprise EDR](https://cdn.www.carbonblack.com/wp-content/uploads/Poullight_Figure3.png) Figure 3: Process diagram from VMware Carbon Black Cloud Enterprise EDR ### Supreme Botnet Mining Client The **net4contor.exe** (named as **control.exe** in Figure 1) is a PE file written in Delphi that is protected by the Enigma Protector. Code hiding, anti-analysis, anti-sandbox, and import table modification are some of the features available with the commercially available Enigma Protector software protection tool. Notably, the embedded metadata, shown below, notes that the files were originally compiled with the name “netcommunity.exe”. Original File Name | netcommunity.exe ---|--- File Size | 1,043,968 bytes MD5 | 924bda3c9a8db75d80eca4a2eac3ff6e SHA256 | 5831a117790aebc381c863d1c59e38164ba9c95c13f560f6f0e6e499a4c0f583 Product Version | Date / Time Stamp (GMT) | Tuesday, 1 January 2019 17:09:59 Table 2: File metadata Once this process starts, it will write a copy of itself into the **ProgramData** folder using a randomly generated character string for the folder name, and a name of a running process as the filename. The folder name is written in the format of a Globally Unique Identifier (GUID), but with invalid random characters. This could be in an attempt to make the folder look official, as that folder does contain GUID folders, but using invalid characters to ensure it doesn’t conflict with an existing folder. It will additionally write an identifier for an Alternate Data Stream into the same location. In the example below, we will refer to the malware as armsvc.exe. **C:\ProgramData\\{VPXG6NAV-YIZX-MBDC-O3FTAM8NPJOQ}\armsvc.exe** **C:\ProgramData\\{VPXG6NAV-YIZX-MBDC-O3FTAM8NPJOQ}\armsvc.exe:zone.identifier** The **net4contor.exe** executable immediately runs the scheduled task command shown below. This creates a new scheduled task which runs every 15 minutes as the currently logged on user account. **"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 15 /TN "P286S3MREM427FXLQI" /TR "C:\ProgramData\\{VPXG6NAV-YIZX-MBDC-O3FTAM8NPJOQ}\armsvc.exe" /F** Finally, as shown in the command line below, the executable will kill the **net4contor.exe** process and delete its file. **"C:\Windows\System32\cmd.exe" /c taskkill /im net4contor.exe /f & erase C:\Users\<user>\AppData\Local\Temp\net4contor.exe & exit** After deletion, the dropped C2 process starts and calls out to **dashboard[.]btchit[.]me** over TCP port 80 using standard Windows HTTP Service API calls (using WinHttpOpen(), WinHttpConnect(), WinHttpOpenRequest(), WinHttpSendRequest(), WinHttpReceiveResponse(), etc) in the following sequence shown below. 1 - POST unique identifiers of the victim system’s, CPU and GPU version to **dashboard[.]btchit[.]me/gate/update.php** ![First 71 bytes of HTTP POST request](https://cdn.www.carbonblack.com/wp-content/uploads/Poullight_Figure4.png) Figure 4: First 71 bytes of HTTP POST request 2 - Check if mutex exists, and, if found, exit 3 - If mutex is not found, send POST of unique identifier to check client registration to **dashboard[.]btchit[.]me/gate/connection.php** 4 - If the identifier is not found, send POST to **dashboard[.]btchit[.]me/gate/create.php** 5 - If the connection is successful, the following response code will be returned, which is base64 encoded for the string “success”: **c3VjY2Vzcw==** 6 - XMRig CPU and GPU mining configuration is then received ![XMRig default configuration example](https://cdn.www.carbonblack.com/wp-content/uploads/Poullight_Figure5.png) Figure 5: XMRig default configuration example 7 - The following process monitoring applications are checked and, if found, terminated to prevent viewing process activity that may be causing high CPU/GPU activity: **NetMonitor**, **Process Killer**, **KillProcess**, **System Explorer**, **Process Explorer**, **AnVir Task Manager** and **Process Hacker**. In addition, if **exe** is detected, the CPU Miner thread will suspend itself in order to hide CPU activities in order to remain undetected for as long as possible. 8 - Send an HTTP POST of the following config to **dashboard[.]btchit[.]me/gate/update.php** ![Partially redacted configuration information](https://cdn.www.carbonblack.com/wp-content/uploads/Poullight_Figure6.png) Figure 6: Partially redacted configuration information 9 - Send an HTTP POST of the unique identifier and updates to **api[.]foxovsky[.]ru/v1/checkLicense.php** One particular string found in the area of code pertaining to the C2 control is the “**ddos**” string, which infers that this client may have current or future functionality to download and install a DDoS module as part of targeted DDoS attacks. ![Botnet client ](https://cdn.www.carbonblack.com/wp-content/uploads/Poullight_Figure7.png) Figure 7: Botnet client The **net4replacer.exe** is a heavily obfuscated executable that is also protected by the Enigma Protector. Original File Name | netcommunity.exe ---|--- File Size | 937,984 bytes MD5 | 995b58eca15bea70798ac29f5b0cd368 SHA256 | 6ee66ad45dcea6f6f02a7b43da0220908fcb1f80eb7f9d740f05acf64c410ed8 Product Version | Date / Time Stamp (GMT) | Saturday 27 June 2020 05:26:47 Table 3: File metadata The primary responsibility of this process is to drop a copy of itself into the users Roaming folder as **svchost.exe**. A scheduled task will be created to run this svchost.exe process every minute. Finally the choice command self-destroys the net4replacer.exe process. **"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\<user>\AppData\Local\Temp\net4replacer.exe" & schtasks /create /tn \rq5dhbgf\nquyb14p /tr C:\Users\<user>\AppData\Roaming\svchost.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f** ### Poullight Stealer: The **net4network.exe** executable (network.exe in Figure 1) is also protected with the Enigma Protector. Original File Name | netcommunity.exe ---|--- File Size | 978,944 bytes MD5 | ed81b7ab336d217d42136617f8f908af SHA256 | 87698fa154be7f6563f1a653a02dd6a93e4fd62fa7bcee7ca3a1ed5366c5e7f7 Product Version | Date / Time Stamp (GMT) | Wednesday 25 March 2020 03:49:15 Table 4: File metadata This process crashes shortly after starting, which is the first, and only, visual indication to the end user that that malware may have attempted to run on the victim's computer. ![Process crash popup message box](https://cdn.www.carbonblack.com/wp-content/uploads/Poullight_Figure8.png) Figure 8: Process crash popup message box The **net4network.exe** process is essentially the Poullight Stealer, reported recently by [Yoroi](<https://yoroi.company/research/poulight-stealer-a-new-comprehensive-stealer-from-russia/>). This process steals the following information from the victim host, and writes numerous files to disk to record this data. **File Name** | **File Type** | **Data collected** ---|---|--- System.txt | Text file | OS version, username, computer name, video card, CPU Processlist.txt | Text file | Running processes Copyboard.txt | Text file | Clipboard text Screenshot.png | PNG file | Screenshot of desktop Webcam.jpg | JPG file | Webcam image Data.txt | Text file | Pidgin chat client logs Cookies.txt | Text file | Google cookies Additional clients that are used to steal from include: **Discord**, **FileZilla**, **NordVPN**, **Skype**, **Steam**, **Telegram**, **Pidgin**. It will also look for various cryptocurrency wallets which include: **Bytecoin**, **Dash**, **Ethereum**, **BitCoin**, **Monero**, and **BitCoin-Qt**. In one of the files written is the following string. **Stealer by Nixscare, buy here: @nixscare (telegram)** This telegram account owner has a channel created under the alias shown below. This channel looks to have been active from mid-April 2020 until around mid-May. ![Telegram channel by nixscare](https://cdn.www.carbonblack.com/wp-content/uploads/Poullight_Figure9.png) Figure 9: Telegram channel by nixscare This process makes a HTTP POST request to **gate[.]btchit[.]me/gate.php** followed by a HTTP GET request to **ru-uid-507352920[.]pp[.]ru** to download the file **example.exe**. This request fails with a 404 error, likely due to infrastructure changes. At the time of writing, this domain record location points to Makhachkala in the Republic of Dagestan, Russia. At the time of writing, the site for Poullight Stealer is currently in a suspended state by the hosting provider. ![Poullight Stealer site suspended ](https://cdn.www.carbonblack.com/wp-content/uploads/Poullight_Figure10.png) Figure 10: Poullight Stealer site suspended One further point to highlight is the Poullight configuration parameters. The original base64 encoded configuration is shown below in the fields of **cpdata**, **ulfile**, and **mutex**. ![Base64 encoded configuration parameters](https://cdn.www.carbonblack.com/wp-content/uploads/Poullight_Figure11.png) Figure 11: Base64 encoded configuration parameters The configuration can be decoded to reveal the following: ![Decoded configuration](https://cdn.www.carbonblack.com/wp-content/uploads/Poullight_Figure12.png) Figure 12: Decoded configuration One particular part of the above configuration that stands out is the string found within the **cpdata** tag. This tag contains the wallet address **12CNuKkKK1xLFoM9P58zWXkELMx1y51z6Y**. At the time of writing, this BTC address has a total of 4 transactions that occurred between 5 and 7 November 2019. Each transaction contains nested hashes, with some of the largest transactions including amounts for $1237.42, $3324.05 and $9233.48. The nested hashes and their associated transactions still show signs of recent activity, with an example shown below in USD. ![Nested transactions](https://cdn.www.carbonblack.com/wp-content/uploads/Poullight_Figure13.png) Figure 13: Nested transactions The tag **cpdata** infers that this is part of the clipboard data, which may be included as part of the BTC clipper functionality to siphon wallet addresses innocently copied/pasted by the victim. Almost 300 samples on VirusTotal were found to include the **cpdata** tag, but one sample in particular contained the following name which could suggest a possible relationship between Poullight and Predator The Thief stealers. ![Possible relationship between Predator The Thief stealer](https://cdn.www.carbonblack.com/wp-content/uploads/Poullight_Figure14.png) Figure 14: Possible relationship between Predator The Thief stealer The overall process activity from Cloud Enterprise EDR is shown below. ![Screenshot of process execution flow](https://cdn.www.carbonblack.com/wp-content/uploads/Poullight_Figure15.png) ### **Remediation:** **MITRE ATT&CK TIDs** **TID** | **Tactic** | **Description** ---|---|--- T1047 | Execution | Windows Management Instrumentation T1053 | Execution, Persistence, Privilege Escalation | Scheduled Task T1096 | Defense Evasion | NTFS File Attributes T1497 | Defense Evasion, Discovery | Virtualization/Sandbox Evasion T1143 | Defense Evasion | Hidden Window T1045 | Defense Evasion | Software Packing T1081 | Credential Access | Credentials in Files T1083 | Discovery | File and Directory Discovery T1063 | Discovery | Security Software Discovery T1012 | Discovery | Query Registry T1010 | Discovery | Application Window Discovery T1082 | Discovery | System Information Discovery T1105 | Command and Control, Lateral Movement | Remote File Copy T1119 | Collection | Automated Collection T1005 | Collection | Data from Local System T1071 | Command and Control | Standard Application Layer Protocol **Indicators of Compromise (IOCs)** **Indicator** | **Type** | **Context** ---|---|--- d4864866becdce24241855de9af67c434007a9324b1b175a04020fd72e5e709b | SHA 256 | Dropper ae341ba5357eb8f9627898d0f740609b | MD5 | Dropper 5831a117790aebc381c863d1c59e38164ba9c95c13f560f6f0e6e499a4c0f583 | SHA 256 | Net4contor.exe (Supreme Botnet Client) 924bda3c9a8db75d80eca4a2eac3ff6e | MD5 | net4contor.exe 87698fa154be7f6563f1a653a02dd6a93e4fd62fa7bcee7ca3a1ed5366c5e7f7 | SHA 256 | net4network.exe ed81b7ab336d217d42136617f8f908af | MD5 | net4network.exe 6ee66ad45dcea6f6f02a7b43da0220908fcb1f80eb7f9d740f05acf64c410ed8 | SHA 256 | net4replacer.exe 995b58eca15bea70798ac29f5b0cd368 | MD5 | net4replacer.exe | IP Address | TCP/80 download[.]btchit[.]me | Domain | Open Directory dashboard[.]btchit[.]me | Domain | C2 btchit[.]me | Domain | Builder Page dviros[.]smabit[.]ru | Domain | Builder Page api[.]foxovsky[.]ru | Domain | C2 | IP Address | TCP/80 Ru-uid-507352920[.]pp[.]ru | Domain | C2 @nethitbot | Telegram Account | NetHit Builder @nixscare | Telegram Account | Poullight Stealer 12CNuKkKK1xLFoM9P58zWXkELMx1y51z6Y | Wallet Address | Wallet Address To learn more about the VMware Carbon Black Threat Analysis Unit (TAU), click [here](<https://www.carbonblack.com/threat-analysis-unit/>). The post [TAU Threat Discovery: Cryptocurrency Clipper Malware Evolves](<https://www.carbonblack.com/blog/tau-threat-discovery-cryptocurrency-clipper-malware-evolves/>) appeared first on [VMware Carbon Black](<https://www.carbonblack.com>).