September 22, 2023

Risk analysts have found a big operation of a brand-new cryptocurrency mining malware referred to as Clipminer that introduced its operators at the least $1.7 million from transaction hijacking.

Clipminer relies on the KryptoCibule malware. Each trojan deals with stealing wallets, hijacking transactions, and mining cryptocurrency on contaminated machines.

The brand new trojan is known as Clipminer by safety researchers who mapped its operation, which had ballooned in dimension by the point of its discovery. Symantec discovered 4375 cryptocurrency pocket addresses believed to have acquired stolen funds.


Clipminer drops on the host system as a WinRAR archive and extracts routinely to launch a management panel (.CPL) file that downloads a dynamic hyperlink library (.DLL). The DLL creates a brand-new registry worth and locations itself on “C:\WindowsTemp” below a random file identify. Its objective is to profile the host and obtain and set up the Clipminer payload from the Tor community.

The system ID is shipped to the command and management server (C2) by way of an HTTP GET request over Tor, and a 10MB payload is acquired to “C:\ProgramData”, or “C:\Program Recordsdata (x86)”, or “[USERPROFILE]AppDataLocal”.

Upon execution, the malware creates scheduled duties for persistence and likewise creates an empty registry key, probably as an infection marker to forestall re-infecting the identical host, the researcher’s word in a report right this moment.

The payload begins a v3 Onion Service with a novel tackle and screens all keyboard and mouse exercises on the host machine. It additionally checks operating processes to determine any evaluation instruments.

Clipminer begins an XMRig Monero miner configured to make use of all accessible CPU threads. For the reason that machine is unsupervised, there isn’t any threat of system efficiency slowdowns freely giving the infection.

Subsequently, the malware continually screens the clipboard for copied cryptocurrency addresses and replaces them on-the-fly with others belonging to the attacker, thus diverting funds.


Symantec says the primary samples of Clipminer began circulating around January 2021, whereas the malicious exercise picked up the tempo in February. Since then, the malware has been distributed by way of sport and pirated software program cracks, and unfold on P2P networks, torrent indexers, or YouTube movies.

Downloading software programs from obscure sources reduces the possibility of getting contaminated with Clipminer or different malware. To guard yourself against any clipboard hijacker, verify the pasted cryptocurrency pockets tackle earlier than initiating the transaction.

Leave a Reply

%d bloggers like this: