ClipBanker

Banker

⚠️ Overview

ClipBanker is a specialized information-stealing malware first documented by researchers at Zscaler in 2021, focusing on hijacking clipboard content to steal cryptocurrency transactions. It operates as a Trojan-Banker variant, primarily targeting users of cryptocurrency wallets and exchange platforms by replacing copied wallet addresses with attacker-controlled addresses. The malware is typically distributed via malvertising, fake browser extensions, and phishing campaigns, with no single attributed threat group, though multiple variants have been linked to Russian-speaking cybercriminal forums.

🔧 Technical Capabilities

ClipBanker achieves persistence by modifying Windows Registry run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun) and using scheduled tasks. It monitors the system clipboard for cryptocurrency address patterns (e.g., Bitcoin, Ethereum, Monero) using regex matching, then replaces them with attacker-owned addresses from embedded configuration or C2 commands. The malware communicates over HTTPS to a remote server, often using a simple JSON-based protocol to exfiltrate clipboard data and receive updated replacement wallets. For evasion, it uses obfuscated PowerShell droppers, injects into legitimate processes like explorer.exe or svchost.exe, and avoids detection by checking for sandbox or debugger environments via API calls like IsDebuggerPresent. Some variants employ code signing certificates stolen from legitimate developers to bypass security checks.

📜 History & Notable Incidents

The first major public analysis of ClipBanker was published by Zscaler ThreatLabz in March 2021, detailing a campaign distributing the malware through fake cryptocurrency trading sites. In 2023, a notable incident involved a variant targeting Binance Smart Chain users, replacing BEP-20 token addresses during copy-paste operations. No specific CVEs have been assigned to ClipBanker itself, but it leverages common vulnerabilities in browser extensions and phishing lures; however, associated crypter and dropper tools have been linked to exploits like CVE-2021-26411 (Internet Explorer 0-day) in earlier distribution chains. Law enforcement has not taken direct action against ClipBanker operators, though takedowns of related botnets (e.g., Emotet) have disrupted its delivery infrastructure.

🔍 Detection Indicators

Known file hashes for ClipBanker samples include SHA256 5f6e7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6 (from Zscaler's 2021 report). Behavioral indicators include repeated clipboard API monitoring (GetClipboardData, SetClipboardData) and suspicious registry modifications under Run and RunOnce. Network IOCs often involve HTTPS POST requests to domains mimicking cryptocurrency services (e.g., api-blockchain[.]com or wallet-update[.]net). A known mutex name is ClipBankerMutex used to prevent multiple instances. User-Agent strings commonly resemble Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 but with slight anomalies in the version number.

☠️ Risk & Impact

The primary impact of ClipBanker is financial theft, where victims unknowingly send cryptocurrency to attacker wallets instead of intended recipients, resulting in irreversible losses. The malware has affected retail cryptocurrency investors, exchanges, and decentralized finance (DeFi) users, with reported losses exceeding $1.5 million in aggregated campaigns tracked by 2023. Affected sectors include personal finance, blockchain technology, and e-commerce, with higher risk during periods of high crypto market activity.

🛡️ Mitigation

Mitigation strategies include using hardware wallets with verification screens, avoiding copy-paste of addresses from untrusted sources, and deploying endpoint detection rules that flag clipboard API hooking or suspicious registry modifications. Organizations should implement application control to block unsigned executables and regularly update anti-malware signatures covering ClipBanker variants (e.g., Zscaler and Microsoft Defender detections). User education on verifying wallet addresses manually before transaction finalization is critical to prevent automated replacement.

⚠️

Malware Families Commonly Operate Through Automated Botnets

Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.

Check My Site for Free

Free to start  ·  Cancel anytime

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.