Clipminer: Making millions off of malware.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Research Saturday." I'm Dave Bittner, and this is our weekly conversation with researchers and analysts, tracking down the threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Dick O’Brien: Yeah. It's not the usual sort of thing that we investigate, but it is kind of an interesting threat. The reason I say it's not the usual sort of thing we investigate is because in the greater scheme of things, it's by no means the world's biggest cybercrime operation. And I think that has helped it fly a little bit under the radar.
Dave Bittner: That's Dick O'Brien. He's a principal editor at Symantec. The research we're discussing today is titled "Clipminer Botnet Makes Operators at Least $1.7 Million."
Dick O’Brien: What we saw cropping up a few times in customers' environments - we got curious, and we decided to dig a little bit deeper and look at it in depth because while Clipminer is known about and has been talked about, say, in forums and in social media, nobody had really kind of documented it fully. So what is it? Well, the first thing - interesting thing about Clipminer is that it's - I guess it's a dual-pronged threat, to describe it. So first of all, it's a crypto miner, which means it will attempt to mine cryptocurrency on the infected computer, means that they effectively steal the victim's computing resources from them. But along with that, it's a crypto stealer. And by that, I mean that if the victim is a cryptocurrency user, it will attempt to steal some of their cryptocurrency. Does this by modifying the contents of the clipboard on the computer to redirect payments. So each time the clipboard is updated, it will scan the clipboard for cryptocurrency wallet addresses. It's set up to identify address formats that are used by a lot of different cryptocurrencies. And so if it spots something that it thinks is a cryptocurrency wallet address, it will replace it with the address of a wallet that the attackers own themselves.
Dick O’Brien: I guess what that means for the victim is, well, imagine they want to pay somebody using their favorite form of cryptocurrency. What they would do is that they would copy the address they need to send the payment to, and then they'll paste it into their own wallet in order to send it, except in this case, by the time they paste it into their own wallet, it's replaced with another address, and therefore the malware has managed to redirect the payments to the attackers. The way they do this is actually pretty stealthy because for most of the cryptocurrency address formats that the malware is configured to scan for, it has a whole heap of different wallet addresses to choose from, and it will choose the address that matches the prefix of the address to be replaced. So this way, unless the victim is really, really paying attention to what is being pasted into their wallets, they may not notice the manipulation. They may just look at the first few characters and think, yeah, that's OK and hit send.
Dick O’Brien: Now, for us, like, once we started looking into Clipminer, one of the first questions that arose really was how much money that this is making. And I think that can tell you a lot about the gravity and the longevity of these kind of threats, because the more money they're making, the less likely it is to disappear and the more likely it is that they're going to want to build on data and make it bigger. Calculating the earnings is always a little bit tricky and time-consuming. So, for example, to start with the malware, it was preconfigured with the addresses of over 4,000 wallets. That's 4,000 wallets controlled by the attackers themselves.
Dick O’Brien: So we took a look at just bitcoin and the Ethereum wallets, which were the majority, in fairness, and they contained a good amount of money. But we noticed a lot had been transferred out into tumblers. And these effectively act as money launderers for cybercriminals using cryptocurrency. And then if you factor the money that has already gone out of the wallets into these tumblers, we reckoned that they'd made at least $1.7 billion from the clipboard hijacking alone in those currencies. I should stress that it's $1.7 billion at the time of writing, because, as we all know, cryptocurrencies have been hit with a pretty steep drop in value in recent weeks, so their profits would probably only be intact if they'd cashed out into other real-world currencies straightaway. But of course, they've potentially made much more than this because we only made an estimate of the clipboard earnings, and the crypto miner earnings were way too complex to calculate in the time that we had.
Dave Bittner: You know, it's really an interesting point you bring up here that, first of all, $1.7 million could be considered not a whole lot of money relative to some of the other operators out there, right?
Dick O’Brien: Yeah. Yeah. When you hear about ransomware groups making maybe hundreds of millions of dollars, you know, this is sort of small leaks. But nevertheless, like, for anybody, $1.7 billion is a fair amount.
Dave Bittner: Yeah. And that's where I'm going with this, which is, is there kind of this funny middle ground where if you're a ransomware operator, can you operate in this space where you're still making a pretty good living for yourself, but there are a lot of shinier objects out there for law enforcement to try to track down?
Dick O’Brien: It is something that I have been thinking about myself since we published this research. I don't know whether it's by accident or design that the Clipminer people have maybe hit on this sweet spot where they still make good money, but aren't conspicuous, and as a result, don't have a target on their back, you know. But if it is by design, you know, it's pretty clever not being so greedy that you don't stick your head above the parapet to a great degree.
Dave Bittner: What about the crypto mining side of things here? Is there anything noteworthy about that part of it?
Dick O’Brien: The crypto miner itself is a publicly available Monero mining software called XMrig. So that component, you know, it's a known thing. And it's not by itself malicious. You know, the malware that surrounds it, I think, is a little bit more interesting in that, like, it's quite surreptitious in how it behaves, tries to make sure that attention isn't drawn to the cryptocurrency mining. So, for example, it will constantly scan for keyboard and mouse usage. And this is to determine whether somebody is actively using the computer at the time. And if they - if it decides that nobody's using it, then and only then will the miner kick in. So obviously, you're going to make more money if it's mining all the time, which the user may notice a lag on the computer's performance. And it also monitors for any analysis and troubleshooting tools running and won't run the miner if they're running as well. And I think, again, that's probably a bid to keep pretty low profile because the user may not be using the computer at the minute, have their hands of the keyboard, but they may be running some sort of scan or diagnostic tool which could pick up the mining activity.
Dave Bittner: So take me through how someone could find themselves infected with this. How are they going after their victims?
Dick O’Brien: We didn't see the complete attack chain ourselves, but just going by what we've heard from third parties and things like that, we think their main infection vector is Trojanized downloads, even pirated software, things like that - what is contained within them. The first evidence of infection we see is the arrival of a self-extracting Winrar archive that drops in the computer. It runs a downloader that's a .dll file. And then it connects to the Tor network. And it downloads the actual Clipminer payload itself. And then, of course, you want Clipminer to stay running once it's on your computer. So it creates what you called persistence by creating a scheduled task, which means every time the user reboots, if they reboot, Clipminer will restart.
Dave Bittner: And what are your recommendations for folks to best protect themselves? I mean, I guess obviously, don't download pirated software, but beyond that.
Dick O’Brien: I mean, really, you know, I mean, it is pretty obvious. But, like, you know, this is an illustration once again of, like, why you shouldn't be downloading any types of pirated content because, like, they tend - they, you know, they're frequently laced with this sort of stuff, you know. A good AV product should pick it up, you know. But also, I think, you know, just be mindful of how your computer is behaving and performing. And if you notice all of a sudden, like this - your computer is way more sluggish than it used to be, it probably does warrant further investigation. It may not always be malicious, but it definitely warrants checking.
Dave Bittner: Do we have any idea who's behind this, what part of the world they're hailing from?
Dick O’Brien: No, not in terms of what part of the world they're hailing from. We may have a little bit of an origin story or an origin hypothesis because Clipminer itself has been - it's been circulating since January of last year, January 2021. And it emerged shortly after a kind of similar threat called KryptoCibule. I think I'm - I hope I'm pronouncing that correctly, but it was discovered by ESET. And when we looked at that, it was actually quite similar to Clipminer. We can't say they're exactly the same thing, but they're very similar. So that left us with two hypotheses. Either after the exposure by ESET at the end of 2020, the actors behind this older threat may have decided to go back to the drawing board and launch a new tool in the form of Clipminer. But then the other hypothesis is that somebody had come across this older threat and decided to create Clipminer in its image or, you know, something similar.
Dave Bittner: Our thanks to Dick O'Brien from Symantec for joining us. The research is titled "Clipminer Botnet Makes Operators at Least $1.7 Million." We'll have a link in the shownotes.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Rachel Gelfand, Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.