Clipminer: The million-dollar clipboard hijacking crypto scam
posted Sunday Jun 5, 2022 by Scott Ertz
Over the past few years, Americans have lost over $1 billion per year to cryptocurrency scams. Some of that loss has been to dating app scams, some to traditional phishing scams, while others have gotten more creative. One of the more creative, and therefore diabolical, scams comes to us from Clipminer, a clipboard hijacker that has stolen $1.7 million from unsuspecting victims.
What is Clipminer?
Clipminer is a seemingly simple concept and one that has existed for decades. It simply watches your clipboard for interesting information. In the past, similar hijackers have looked for passwords and other important pieces of information and sent that data to a remote server. Clipminer took a different approach, however. It watches your clipboard for what it believes to be a cryptocurrency wallet address. Rather than sending that information to a remote server, it simply replaces the value with something else.
That something else, however, is the key to the scam. The reason you would be copying a cryptocurrency wallet address is likely because you are about to send money to that wallet. So, Clipminer replaces the text in your clipboard - the wallet address you plan to send money to - with its own. If you do not spot-check the wallet address before hitting send, you will have sent the money to the wrong place. And, as many know, once money is transferred it is gone for good.
To add insult to injury, when the software is installed on your device, it doesn't just hijack your clipboard - it also installs a crypto miner on your system. So, while the software works to steal cryptocurrency from you directly, it also uses your resources to mine its own cryptocurrency without your permission or knowledge, while likely costing you more money because of power consumption and hardware wear and tear. We've seen other mining schemes in the past, but they've generally been drive-by attacks rather than through direct installation (though not exclusively).
How does Clipminer get installed?
It would not be easy for a general web user to encounter Clipminer. In fact, it is only people who are engaging in illegal activity that are likely to get this particular hijacker. That is because the software gets installed alongside cracked or pirated software. So, you're not going to get infected just browsing the web or opening an email - these bad actors are targeting other bad actors online. An interesting approach.
Once the infected software gets downloaded to the computer, an attached compressed file containing the hijacker extracts itself and installs a DLL file. This ensures that the downloader will start up next time the system reboots if it is incomplete. Once complete, it renames itself and adds a registry value to ensure it doesn't try to download and install again.
The software, as well as the installation process, are similar to another identified hijacker - KryptoCube. It's unknown if they are the same software or related to one another, but the similarities are important. It is possible that after KryptoCube was identified, the team changed things up a bit and switched to Clipminer. Now that it has been identified, it is likely that the process will restart once again.