Cybercriminals operating the Clipminer botnet have raked in at least $1.7 million in illicit gains to date, according to an estimate by security researchers at Symantec.
Spreading via trojanized cracked or pirated software, the Clipminer trojan shows similarities with the cryptomining trojan KryptoCibule, suggesting that it could be either a copycat or an evolution of the latter.
According to Symantec, Clipminer was first spotted around January 2021, shortly after KryptoCibule was detailed in an ESET research project, suggesting a possible rebranding of the same threat.
Once it has compromised a machine, the malware can abuse its resources to mine for cryptocurrency, but is also capable of modifying clipboard contents. Accordintg to Symantec, when it detects that the user has copied a cryptowallet address, it replaces it with the address of a wallet controlled by the attackers, to redirect funds there.
“On each clipboard update, it scans the clipboard content for wallet addresses, recognizing address formats used by at least a dozen different cryptocurrencies. […] For the majority of the address formats, the attackers provide multiple replacement wallet addresses to choose from,” Symantec added.
The researchers identified a total of 4,375 unique cryptowallet addresses within the malware, 3,677 of which are used for just three different formats of Bitcoin addresses.
Symantec found roughly 34.3 Bitcoin and 129.9 Ethereum in some of the addresses controlled by the attackers and said that some other funds had previously been transferred to cryptocurrency mixing services.
“If we include the funds transferred out to these services, the malware operators have potentially made at least $1.7 million from clipboard hijacking alone,” the researchers added.
Related: Kubeflow Deployments Targeted in New Crypto-mining Campaign
Related: ‘PGMiner’ Crypto-Mining Botnet Abuses PostgreSQL for Distribution
Related: Cryptomining Campaign Targets Linux Servers with Go Malware

More from Ionut Arghire
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- Apria Healthcare Notifying 2 Million People of Years-Old Data Breaches
- European Cybersecurity Firm Sekoia.io Raises $37.5 Million
- GitLab Security Update Patches Critical Vulnerability
- Android App With 50,000 Downloads in Google Play Turned Into Spyware via Update
Latest News
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- Zyxel Firewalls Hacked by Mirai Botnet
- Watch Now: Threat Detection and Incident Response Virtual Summit
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
