Cybercriminals operating the Clipminer botnet have raked in at least $1.7 million in illicit gains to date, according to an estimate by security researchers at Symantec.
Spreading via trojanized cracked or pirated software, the Clipminer trojan shows similarities with the cryptomining trojan KryptoCibule, suggesting that it could be either a copycat or an evolution of the latter.
According to Symantec, Clipminer was first spotted around January 2021, shortly after KryptoCibule was detailed in an ESET research project, suggesting a possible rebranding of the same threat.
Once it has compromised a machine, the malware can abuse its resources to mine for cryptocurrency, but is also capable of modifying clipboard contents. Accordintg to Symantec, when it detects that the user has copied a cryptowallet address, it replaces it with the address of a wallet controlled by the attackers, to redirect funds there.
“On each clipboard update, it scans the clipboard content for wallet addresses, recognizing address formats used by at least a dozen different cryptocurrencies. […] For the majority of the address formats, the attackers provide multiple replacement wallet addresses to choose from,” Symantec added.
The researchers identified a total of 4,375 unique cryptowallet addresses within the malware, 3,677 of which are used for just three different formats of Bitcoin addresses.
Symantec found roughly 34.3 Bitcoin and 129.9 Ethereum in some of the addresses controlled by the attackers and said that some other funds had previously been transferred to cryptocurrency mixing services.
“If we include the funds transferred out to these services, the malware operators have potentially made at least $1.7 million from clipboard hijacking alone,” the researchers added.
Related: Kubeflow Deployments Targeted in New Crypto-mining Campaign
Related: ‘PGMiner’ Crypto-Mining Botnet Abuses PostgreSQL for Distribution
Related: Cryptomining Campaign Targets Linux Servers with Go Malware