Pioneer in Malware Detections & Mitigations


Protect Your Sensitive Data: Examining the Risks and Dangers of Clipboard Hijacking in Copy-Paste Scams

The Emergence of Clipboard Injection Attacks:

Clipboard injection attacks have emerged as a threat to cryptocurrency and banking users. This technique, which is more than a decade old, relies on malware replacing part of the clipboard contents once it detects a wallet address in it.

Despite the attack being fundamentally simple, it harbors more danger than would seem. This blog post will delve into clipboard injection attacks, including their nature of work, malware execution, and how Scrutiny engine can detect all attacks at an early stage with reliability.

Clipboard injection attacks are not new, as they started with banking trojans that targeted specific banks in 2013 by replacing bank account numbers in the clipboard.
The use of regular expressions is a common technique used by malware developers to scan through large amounts of data and find specific patterns. In this case, the malware is scanning for wallet IDs, which are used to transfer funds from one account to another.

How Clipboard Injection Attacks Work:

The attack works by inserting malware into the victim's device, which then monitors the clipboard for specific data, such as cryptocurrency wallet addresses, bank account numbers, or login credentials.

Once the malware detects the desired information in the clipboard, it replaces it with fraudulent data, redirecting the victim's funds to the attacker's account. This tactic has been widely used by hackers to carry out various types of scams, including cryptocurrency theft, identity theft, and financial fraud.

Malware installed with Enigma packer v4.0
Malware integrates into Windows clipboard viewers
Malware scans clipboard for regular expressions
If match found, replace with random address
Hardcoded list of thousands of replacement addresses.

Since then, hackers have found various ways to exploit the copy-paste function for stealing sensitive data. US bank account numbers, IBANs, SWIFT/BIC codes, credit card numbers, social security numbers, Canadian social insurance numbers, UK national insurance numbers, and even PayPal account emails are all at risk.

US bank account number: \b\d{9}\b
IBAN (International Bank Account Number): \b[A-Z]{2}\d{2}[A-Z]{4}\d{7}([A-Z\d]?){0,16}\b
SWIFT/BIC code: \b[A-Z]{6}[A-Z\d]{2}([A-Z\d]{3})?\b
Credit card number: \b\d{4}[- ]?\d{4}[- ]?\d{4}[- ]?\d{4}\b
Social Security number (US): \b\d{3}[- ]?\d{2}[- ]?\d{4}\b
Canadian Social Insurance Number: \b\d{3}[- ]?\d{3}[- ]?\d{3}\b
UK National Insurance Number: \b[A-Z]{2}\d{6}[A-Z]?\b
PayPal account email: \b[A-Za-z\d._%+-]+@[A-Za-z\d.-]+.[A-Za-z]{2,}\b

Adding increased value of cryptocurrencies made it a very lucrative target. This is where the first clipboard attacks on cryptocurrency owners began to emerge. Hackers would replace the wallet addresses in the clipboard with their own, resulting in the victim transferring their cryptocurrency into the attacker's wallet.

(^|\s)1[1-9A-HJ-NP-Za-km-z]{25,34}($|\s) – Bitcoin (P2PKH)
(^|\s)3[1-9A-HJ-NP-Za-km-z]{25,34}($|\s) – Bitcoin (P2SH)
(^|\s)bcrt1[ac-hj-np-z02-9]{7,71}($|\s) – Bitcoin (Bech32)
(^|\s)X[1-9A-HJ-NP-Za-km-z]{24,34}($|\s) – Ripple
(^|\s)0x([A-Fa-f0-9]{40})\b – Ethereum
(^|\s)[TM]{1}[a-zA-Z0-9]{33}($|\s) – Tether
(^|\s)N[1-9A-HJ-NP-Za-km-z]{32,33}($|\s) – NEM
(^|\s)bnb[1-9A-HJ-NP-Za-km-z]{38}($|\s) – Binance Coin

Once the malware identifies a cryptocurrency wallet address, it replaces it with an address that is controlled by the attacker. The replacement address is typically a different cryptocurrency wallet that belongs to the attacker. When the user pastes the wallet address into a cryptocurrency transfer, the transaction is sent to the attacker's wallet instead of the intended recipient.

The hexdump of the malware data reveals the use of regular expressions and replacement wallet IDs to hide the malicious code's true purpose.

This technique is effective because it does not require the malware to actively communicate with a remote server. It operates entirely within the user's system and relies on the user to perform an action, such as pasting a wallet address into a cryptocurrency transfer. As a result, this technique is difficult to detect by traditional security measures.

Detecting Clipboard Injection Attacks:

Clipboard injection attacks are a sophisticated form of malware that are difficult to detect using traditional security measures. However, through the use of advanced threat intelligence and simulation intelligence, detecting these attacks is possible.

Threat intelligence involves the collection and analysis of data on emerging threats to identify patterns and behaviors that indicate clipboard injection attacks. This includes analyzing data on malware campaigns, tracking the activities of threat actors, and monitoring vulnerabilities in software and systems.
Simulation intelligence, on the other hand, involves the creation of simulated attack scenarios to test the effectiveness of security measures in detecting and preventing clipboard injection attacks.

Together, these techniques provide a powerful defense against clipboard injection attacks. By staying vigilant and leveraging advanced threat intelligence and simulation intelligence, security teams can detect these attacks early and prevent significant damage to their systems and data.

"https://polyswarm.network/scan/results/file/13d9399c999232ee4fc8b666b68e37ce277d8186c3a25448a5d146c1b7100a8a"

"https://polyswarm.network/scan/results/file/b12de973c65c13c17ec5388f200c1141aa2dbd209bd980399bbefae2d35082dc"

Enigma Packer: A Cryptographic Tool for Malware Protection and Obfuscation


Clipboard injection attacks can also be connected to the Enigma packer, a cryptographic tool commonly used by malware developers. By using clipboard injection attacks in combination with the Enigma packer, cybercriminals can further protect their malicious activities and make it even harder for security software to detect and prevent their attacks.

The Enigma packer employs various cryptography functions, such as AES and RSA, to encrypt the malware code and make it harder to analyze or detect.
The Enigma packer is often sold on underground forums and is popular among malware coders and cybercriminals. It is commonly used in Advanced Persistent Threats (APTs), which are long-term, targeted attacks aimed at stealing sensitive information or disrupting critical infrastructure.

"https://polyswarm.network/scan/results/file/870d5329623782504b91d4b52b1b7905730f28b4cf62873de444921510f1f679"

The Danger of Clipboard Injection Attacks:

Clipboard injection attacks are a type of malware that can remain undetected for long periods of time, posing a significant risk to users' sensitive data. Unlike other malware that is typically discovered through obvious signs of activity or associations with known bad infrastructure, clipboard injectors only activate when certain conditions are met, such as the presence of specific data in the clipboard.

This makes them particularly dangerous, as they can quietly sit on a system for years, waiting for the right opportunity to strike. To protect against clipboard injection attacks, it's essential to use a combination of techniques, including monitoring system activity, using anti-malware software, and employing cryptography to protect sensitive data.
Cryptography functions such as hashing and encryption can be especially effective in protecting against these attacks. By encrypting or hashing sensitive data like wallet IDs, it becomes much more difficult for attackers to read or manipulate the information.
One way to mitigate this type of malware is to verify the accuracy of the wallet address before sending any cryptocurrency. Users can double-check the wallet address by comparing it to a trusted source or using a hardware wallet that displays the address on its screen.
Additionally, implementing two-factor authentication (2FA) can provide an additional layer of security, making it more difficult for attackers to gain access to cryptocurrency wallets.

At Cyberstanc, we understand the risks posed by clipboard injection attacks and can help you protect your sensitive data. Contact us today at [email protected] to learn more about our cybersecurity solutions.