The long road to your crypto: ClipBanker and its marathon infection chain

Threat actors are leveraging a sophisticated multi-stage infection chain to distribute ClipBanker malware, disguised as legitimate Proxifier software found via search engines. The campaign utilizes a malicious GitHub repository to deliver a trojanized installer that establishes Microsoft Defender exclusions and employs fileless techniques involving PowerShell scripts and process injection. The final payload monitors the victim's clipboard for cryptocurrency wallet addresses across numerous blockchain networks and replaces them to divert transactions. This activity poses a high severity risk to cryptocurrency users due to the financial impact and advanced evasion methods used to bypass security controls. Organizations and individuals should verify software sources, monitor scheduled tasks and registry keys for anomalies, and ensure endpoint protection solutions are configured to detect obfuscated PowerShell activity and unauthorized clipboard monitoring.

Threat actors are distributing a Trojan disguised as Proxifier software; through a multi-stage infection chain, it delivers ClipBanker – malware that replaces cryptocurrency wallet addresses in the clipboard.

Threat actors are leveraging a sophisticated multi-stage infection chain to distribute ClipBanker malware, disguised as legitimate Proxifier software found via search engines. The campaign utilizes a malicious GitHub repository to deliver a trojanized installer that establishes Microsoft Defender exclusions and employs fileless techniques involving PowerShell scripts and process injection. The final payload monitors the victim's clipboard for cryptocurrency wallet addresses across numerous blockchain networks and replaces them to divert transactions. This activity poses a high severity risk to cryptocurrency users due to the financial impact and advanced evasion methods used to bypass security controls. Organizations and individuals should verify software sources, monitor scheduled tasks and registry keys for anomalies, and ensure endpoint protection solutions are configured to detect obfuscated PowerShell activity and unauthorized clipboard monitoring. Threat actors are distributing a Trojan disguised as Proxifier software; through a multi-stage infection chain, it delivers ClipBanker – malware that replaces cryptocurrency wallet addresses in the clipboard. At the start of the year, a certain Trojan caught our eye due to its incredibly long infection chain. In most cases, it kicks off with a web search for “Proxifier”. Proxifiers are speciaized software designed to tunnel traffic for programs that do not natively support proxy servers. They are a go-to for making sure these apps are functional within secured development environments. By coincidence, Proxifier is also a name for a proprietary proxifier developed by VentoByte, which is distributed under a paid license. If you search for Proxifier (or a proxifier), one of the top results in popular search engines is a link to a GitHub repository. That’s exactly where the source of the primary infection lives. The GitHub project itself contains the source code for a rudimentary proxy service. However, if you head over to the Releases section, you’ll find an archive containing an executable file and a text document. That executable is actually a malicious wrapper bundled around the legitimate Proxifier installer, while the text file helpfully offers activation keys for the software. Once launched, the Trojan’s first order of business is to add an exception to Microsoft Defender for all files with a TMP extension, as well as for the directory where the executable is sitting. The way the Trojan pulls this off is actually pretty exotic. First, it creates a tiny stub file – only about 1.5 KB in size – in the temp directory under the name “Proxifier .tmp” and runs it. This stub doesn’t actually do anything on its own; it serves as a donor process. Later, a .NET application named “api_updater.exe” is injected into it to handle the Microsoft Defender exclusions. To get this done, api_updater.exe decrypts and runs a PowerShell script using the PSObject class. PSObject lets the script run directly inside the current process without popping up a command console or launching the interpreter. As soon as the required exclusions are set, the trojanized proxifier.exe extracts and launches the real Proxifier installer. Meanwhile, it quietly continues the infection in the background: it creates another donor process and injects a module named proxifierupdater.exe. This module acts as yet another injector. It launches the system utility conhost.exe and injects it with another .NET app, internally named “bin.exe”, which runs a PowerShell script using the same method as before. The script is obfuscated and parts of it are encoded, but it really only performs four specific actions: Add the “powershell” and “conhost” processes to Microsoft Defender exclusions. Create a registry key at HKLM\SOFTWARE\System::Config and store another Base64-encoded PowerShell script inside it. Set up a scheduled task to launch PowerShell with another script as an argument. The script’s task is to read the content of the created registry key, decode it, and transfer control to the resulting script. Ping an IP Logger service at https[:]//maper[.]info/2X5tF5 to let the attackers know the infection was successful. This wraps up the primary stage of the infection. As you can see, the Trojan attempts to use fileless (or bodiless) malware techniques. By executing malicious code directly in allocated memory, it leaves almost no footprint on the hard drive. The next stage is launched along with the task created in the scheduler. This is what it looks like: The task launches the PowerShell interpreter, passing the script from the arguments as input. As we already mentioned, it reads the contents of the previously created Config registry key, then decodes and executes it. This is yet another PowerShell script whose job is to download the next script from hardcoded addresses and execute it. These addresses belong to Pastebin-type services, and the content located there is encoded in several different ways at...