Clipboard Hijacker Dropped By STOP Ransomware

Recently we have seen multiple droppers dropping infostealers or banking trojans along with ransomware. Few weeks ago our researchers at SonicWall labs observed a clipbanker i.e. Clipboard Hijacker being dropped by djvu(STOP) ransomware.

Behaviour:
The Clipboard Hijacker malware was downloaded from URL hxxp://acacaca[.]org/files/1/build3[.]exe at path <Appdata>\Local\<UuId>\build3.exe. The dropped malware first uses dynamic API resolution to load APIs needed for further operations. It also makes sure that there is no other instance running by creating mutex “M5/610HP/STAGE2”. The name might implicate that this is the next stage of attack after ransomware execution.
It creates self copy at path <AppData>\Roaming\Microsoft\Network\mstsca[.]exe. This self copy is later executed using a scheduled task “Azure-Update-Task”. Task is scheduled to run every minute. The malware terminates itself after completing setting up scheduled task.

Fig 1. Scheduled Task

The mstsca[.]exe does the main clipboard hijacking activity. This again checks for mutex “M5/610HP/STAGE2” to confirm single instance is running at a time. The clipboard data is retrieved using GetClipboardData API. This data is then checked for string terminatore to check for separate strings in data.

Fig 2. String Check

Once found a string, length of string is calculated and cross-checked with the length of desired wallet address lengths.
After confirming desired length it checks for starting characters of the expected wallet addresses. In some cases few wallets have same length but these are differentiated based on initial characters. Below mentioned is the code snippet checking for bitcoin wallet address(Native SegWit addresses start with bc1q).

Fig 3. Bitcoin Wallet Check

This address from the retrieved clipboard is replaced by the address of same cryptocurrency already present in the binary. It continues to check for presence of other addresses till the clipboard data ends.
The replaced wallet addresses are copied to the current clipboard. The clipboard is cleared using EmptyClipboard and then the new data containing malware’s wallet addresses is copied to clipboard using SetClipboardData.

Fig 4. Clipboard Data Replace

After this, it sleeps for very short time and continues to check for clipboard data.

The malware has multiple wallet addresses of different wallets. One of the binance wallet from the list was mentioned in a magazin’s tweet(hxxps://twitter[.]com/westafricaweek/status/1471631329829834753). For this address, we have mentioned last one month’s amount received in below table.

Wallets:

Monero:
42UxohbdHGMYGPvW5Uep45Jt9Rj2WvTV958B5G5vHnawZhA4UwoD53Tafn6GRmcGdoSFUfCQN6Xm37LBZZ6qNBorFw3b6s2
89SPVUAPHDLSq5pRdf8Eo6SLnKRJ8BNSYYnvPL6iJxGP4FBCBmkeV3CTSLCbk6uydxRnub4gLH6TBRycxSAQN2m1KcnhrSZ

Although the malware has smaller functionality it may cause huge financial losses to victims. SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.

IOCs:
Stop Ransomware(parent file):
327224ab99915741b54b4e5b836ea8248cf2fe90d2113271422095cea8211d96

Clipboard Hijacker(dropped):
hxxp://acacaca[.]org/files/1/build3[.]exe
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0(build3.exe)

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.