Clipminer Botnet made at least 1.7 Million dollars from crypto mining

Malware gang stole millions by hijacking cryptocurrency transactions

New malware makes 1.7 million dollars from cryptocurrency transfer hijacks alone

Threat researchers reported the discovery of a large campaign of the new malware that made more than $1,7 million to the operators. The new malware named Clipminer focuses on cryptocurrency mining, and it managed to make millions from transaction hijacking.^[1] According to the research this malware has many similarities to another trojan used for cryptocurrency mining – KryptoCibule.^[2] Both of these viruses are based on stealing wallets, hijacking these payments, and mining the cryptocurrency on infected machines directly.

The new malware piece shocked researchers because it quickly grew in size by the time of the discovery. These operations, according to the Symantec team involved 4375 cryptocurrency wallet addresses that received those stolen funds from victims.

Clipminer has proven a successful endeavor, earning its operators a considerable amount of money.

The malicious program is capable of compromising computers and then using the resources of the affected machine to mine cryptocurrency further. This trojan also can modify clipboard content and try to redirect crypto transactions done by users on the machine, so funds go to the wallets held by criminals.^[3]

Spreading via trojanized downloads and cracked software

The malware is distributed using downloads or cracked or pirated applications. Torrent platforms and other pirating^[4] services provide these packages with malicious Clipminer botnet files. This cryptocurrency miner can be dropped on the machine as a WinRAR archive and trigger the extraction automatically, so then the control panel file is launched and downloads the dynamic link library.

The malicious DLL creates registry values and places the malware in various folders in the Windows directory. Those files are made with ransom names, so the profile can be hosted, and it is possible to download, and install the payload of the main miner from the Tor network later on.

The system gets identification, so the C&C server^[5] receives this information, and the request to get the payload is launched. The malware comes as a 10MB file placed in the Program Files folder. Once the trojan is executed successfully the scheduled tasks get placed to ensure the persistence of the malware. Registry editing also takes place to prevent re-infecting the same host.

Mining starts when the user is away

Malware monitors the activity on the host, and when there is none Clipminer starts an XMRig Monero miner configured to use the CPU threats that are available. The machine is unsupervised because users are away, so there is no risk of causing slow-downs that give away the issue with cyber infections.

Malware also monitors the clipboard for the copied cryptocurrency addresses, and ongoing transactions can be hijacked by replacing addresses with the ones that belong to attackers. These addresses can be chosen specifically to match the prefix of the address that malware replaces. Payment diversion is common for these financially motivated criminals.

This malware includes a total of 4375 unique addresses of wallets controlled by these criminals behind Clipminer trojan operations. At least 3677 addresses are used for just three formats of Bitcoin addresses. Investigators check Bitcoin and Ethereum wallets to find about 34 Bitcoin and 129 Ethereum in them.

Some funds have been transferred to cryptocurrency tumblers or mixing services to obscure the rail back to the original source of funds. It is believed that malicious actors made around $1.7 million from these clipboard hijacking processes alone.