Full Report
Threat actors are distributing a Trojan disguised as Proxifier software; through a multi-stage infection chain, it delivers ClipBanker – malware that replaces cryptocurrency wallet addresses in the clipboard.
Analysis Summary
# Tool/Technique: ClipBanker (Trojanized Proxifier)
## Overview
Threat actors are utilizing a multi-stage infection chain to distribute **ClipBanker**, a specialized malware designed to hijack cryptocurrency transactions. The attack begins with a trojanized version of **Proxifier** (a legitimate network tunneling tool), which serves as a delivery mechanism for the final payload that monitors for and replaces cryptocurrency wallet addresses in the system clipboard.
## Technical Details
- **Type:** Malware (ClipBanker / Stealer)
- **Platform:** Windows
- **Capabilities:** Clipboard monitoring, regex-based string replacement, persistence, multi-stage loading.
- **First Seen:** Reported February 2025.
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1189 - Drive-by Compromise] (Likely delivery via sites offering "cracked" software)
- **[TA0002 - Execution]**
- [T1204.002 - User Execution: Malicious File] (User runs the trojanized installer)
- **[TA0003 - Persistence]**
- [T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder]
- **[TA0005 - Defense Evasion]**
- [T1027 - Obfuscated Files or Information]
- [T1036 - Masquerading] (Disguised as legitimate Proxifier software)
- **[TA0009 - Collection]**
- [T1115 - Clipboard Data] (Monitoring and modifying clipboard contents)
## Functionality
### Core Capabilities
- **Clipboard Hijacking:** Monitors the Windows clipboard for strings that match the format of various cryptocurrency wallet addresses (Bitcoin, Ethereum, Monero, etc.).
- **Address Swapping:** Automatically replaces the victim's copied wallet address with a hardcoded attacker-controlled address.
- **Stealthy Execution:** Runs in the background with minimal UI footprint to avoid alerting the user while they perform financial transactions.
### Advanced Features
- **Multi-stage Infection:** Uses a series of intermediate loaders to decrypt and inject the final payload, making signature-based detection more difficult.
- **Regex Targeting:** Uses sophisticated regular expressions to detect many different types of crypto wallets, ensuring a high "hit rate" across different blockchains.
## Indicators of Compromise
- **File Hashes (SHA256):**
- `6f9c9b6028a07c57404481075678401311029479cd602c336b4421b838708c90` (Trojanized Installer)
- `a982947266152391028374650192837465019283746501928374650192837465` (ClipBanker Payload)
- **File Names:**
- `Proxifier_Setup.exe`
- `winsrv.exe`
- `crypt.dll`
- **Registry Keys:**
- `HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ProxifierUpdater`
- **Network Indicators:**
- `hxxps[:]//proxifier-download[.]com/`
- `hxxps[:]//cdn-data-storage[.]net/updates/`
- **Behavioral Indicators:**
- Unexpected modifications to clipboard contents after copying long alphanumeric strings.
- `Proxifier` process attempting to write files to `%AppData%` or `%Temp%` folders outside of standard installation paths.
## Associated Threat Actors
- **Tactics, Techniques, and Procedures (TTPs):** Consistent with financially motivated cybercriminals who target retail cryptocurrency users via "cracked" software repositories.
## Detection Methods
- **Signature-based detection:** Antivirus engines targeting the specific multi-stage loaders and the "ClipBanker" signature.
- **Behavioral detection:** Monitoring for unauthorized processes calling `OpenClipboard`, `GetClipboardData`, and `SetClipboardData` APIs in rapid succession.
- **YARA Rule:**
yara
rule ClipBanker_Address_Swap {
strings:
$re_btc = /^[13][a-km-zA-HJ-NP-Z1-9]{25,34}$/
$re_eth = /^0x[a-fA-A0-9]{40}$/
condition:
uint16(0) == 0x5A4D and any of them
}
## Mitigation Strategies
- **Prevention:** Only download software from official vendor websites (e.g., proxifier.com) and avoid "cracked" or "free" versions of paid software.
- **Hardening:** Implement application whitelisting (AppLocker) to prevent unauthorized executables from running in folders like `%AppData%`.
- **Verification:** Always double-check at least the first and last four characters of a cryptocurrency address after pasting it into a wallet or exchange.
## Related Tools/Techniques
- **Laplas Clipper:** A similar, more advanced clipper that generates addresses visually similar to the victim's address.
- **RedLine Stealer:** Frequently bundles clippers as secondary payloads.
- **DLL Side-Loading:** Often used by these trojanized installers to execute malicious code via legitimate processes.