Register for your free TechRepublic membership or if you are already a member, sign in using your preferred method below.
We recently updated our Terms and Conditions for TechRepublic Premium. By clicking continue, you agree to these updated terms.
Invalid email/username and password combination supplied.
An email has been sent to you with instructions on how to reset your password.
By registering, you agree to the Terms of Use and acknowledge the data practices outlined in the Privacy Policy.
You will also receive a complimentary subscription to TechRepublic’s News and Special Offers newsletter and the Top Story of the Day newsletter. You may unsubscribe from these newsletters at any time.
Username must be unique. Password must be a minimum of 6 characters and have any 3 of the 4 items: a number (0 through 9), a special character (such as !, $, #, %), an uppercase character (A through Z) or a lowercase (a through z) character (no spaces).
This new malware diverts cryptocurrency payments to attacker-controlled wallets
Your email has been sent
A new malware dubbed Keona Clipper aims to steal cryptocurrencies from infected computers and uses Telegram to increase its stealth. Learn more about what the Clipper malware threat is and how to protect from it.
A clipper malware is a piece of software that once running on a computer will constantly check the content of the user’s clipboard and look for cryptocurrency wallets. If the user copies and pastes the wallet somewhere, it is replaced by another wallet, owned by the cybercriminal.
This way, if an unsuspecting user uses any interface to send a cryptocurrency payment to a wallet, which is generally done by copying and pasting a legitimate destination wallet, it gets replaced by the fraudulent one.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Clipper malware is not a new threat, but it is unknown to most users and companies. The first clipper malware appeared in 2017 on Windows operating systems. Such malware also appeared on the Google Play Store in 2019. That malware impersonated MetaMask, a popular crypto wallet, and aimed at stealing credentials and private keys to steal Ethereum funds from the victims, in addition to changing the wallets in the clipboard to obtain more cryptocurrency.
Clipper attacks work very well because of the length of cryptocurrencies wallets. People transferring cryptocurrencies from their wallet to another rarely check that the copy/paste result is indeed the one that is provided by a legitimate receiver.
Researchers from Cyble analyzed a new Clipper malware named Keona Clipper by its developer (Figure A).
Figure A
The malware is sold as a service at the price of $49 for one month.
Keona Clipper was developed in the .NET programming language and protected by Confuser 1.x. This tool protects .NET applications by renaming symbols, obfuscating the control flow, encrypting constant and resources, using protections against debugging, memory dumping, tampering and disabling decompilers, making it harder for reverse engineers to analyze it.
Cyble researchers could identify over 90 different Keona samples since May 2022, showing wide deployment. The difference in those Keona samples might be slight modifications in the code, or just the result of several uses of the Confuser protector, which would generate a different binary each time a sample is submitted to avoid being detected by security solutions based on file signature only.
Once executed, the malware communicates with an attacker-controlled Telegram bot via the Telegram API. The first communication from the malware to the bot contains a message written in the Russian language which can be translated as “clipper has started on the computer” and contains the username of the user whose account is used by the malware.
The malware also makes sure it will always be executed, even if the computer restarts. To ensure that persistence, the malware copies itself to several locations, including the Administrative Tools folder and the Startup folder. Autostart entries in the Windows registry are also created to ensure the malware is run every time the computer restarts.
Keona Clipper then quietly monitors for any clipboard activity and uses regular expressions to check for any cryptocurrency wallets. Keona Clipper can steal more than a dozen different cryptocurrencies: BTC, ETH, LTC, XMR, XLM, XRP, NEC, BCH, ZCASH, BNB, DASH, DOGE, USDT TRC20 and ADA coins.
If a wallet is found, it is replaced immediately in the clipboard by a wallet address provided by the threat actor.
A screen capture from Cyble shows a Bitcoin wallet controlled by the threat actor. That wallet is tied to 60 transactions, for a total amount of approximately $450 (Figure B).
Figure B
While this amount of money might seem quite small, attackers often use different wallets for several different kinds of cryptocurrencies. This amount should therefore be seen as just one part of the attacker’s financial gain.
A careful check should be done for every payment done in cryptocurrency. Users should visually confirm the wallet used as the destination for the transaction by comparing the result of their copy/paste manipulation to the wallet provided by the seller.
Private keys and seeds for wallets should never be stored unsafely on any device. These should be stored encrypted, if possible, on a separate storage device or on a physical hardware wallet.
Security products should be deployed to detect the threat. Not knowing the initial vector of propagation for Keona, we suspect it might be emails, so e-mail based security needs to be deployed. User awareness should also be raised on email fraud and phishing.
Finally, the operating system and all software running on it should always be kept up to date and patched. In case the malware is dropped and executed on the system via the leveraging of a common exploit, a patched system is very likely to stop the threat.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
This new malware diverts cryptocurrency payments to attacker-controlled wallets
Your email has been sent
Your message has been sent
TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.
These 11 cloud-to-cloud solutions back up your organization’s data so you’ll be covered in the event of deletions, malware or outages. Compare the best online cloud backup services now.
You can use a mobile device to speak with another person directly through the Teams app. Lance Whitney shows you how to use this handy feature.
A phishing technique called Browser in the Browser (BITB) has emerged, and it’s already aiming at government entities, including Ukraine. Find out how to protect against this new threat.
With so many project management software options to choose from, it can seem daunting to find the right one for your projects or company. We’ve narrowed them down to these nine.
Start-ups, DARPA and Accenture Ventures announce research partnerships, new hardware and strategic investments.
IIoT software assists manufacturers and other industrial operations with configuring, managing and monitoring connected devices. A good IoT solution requires capabilities ranging from designing and delivering connected products to collecting and analyzing system data once in the field. Each IIoT use case has its own diverse set of requirements, but there are key capabilities and …
Recruiting an Operations Research Analyst with the right combination of technical expertise and experience will require a comprehensive screening process. This Hiring Kit provides an adjustable framework your business can use to find, recruit and ultimately hire the right person for the job.This hiring kit from TechRepublic Premium includes a job description, sample interview questions …
The digital transformation required by implementing the industrial Internet of Things (IIoT) is a radical change from business as usual. This quick glossary of 30 terms and concepts relating to IIoT will help you get a handle on what IIoT is and what it can do for your business.. From the glossary’s introduction: While the …
Procuring software packages for an organization is a complicated process that involves more than just technological knowledge. There are financial and support aspects to consider, proof of concepts to evaluate and vendor negotiations to handle. Navigating through the details of an RFP alone can be challenging, so use TechRepublic Premium’s Software Procurement Policy to establish …


Write A Comment