Key Takeaways
- Cyble Research and Intelligence Labs (CRIL) has uncovered an active malware campaign targeting cryptocurrency users.
- In this campaign, the Threat Actors (TA) utilized deceptive websites posing as legitimate cryptocurrency applications, including Metamask, Wazirx, Lunoapp, and Cryptonotify.
- All these malicious sites are distributing the same clipper payload – that CRIL has dubbed “XPhase Clipper” – designed to intercept and modify cryptocurrency wallet addresses copied by users.
- The TA orchestrating this mass campaign primarily focuses on targeting cryptocurrency users worldwide, although a handful of phishing sites have been specifically tailored to exploit Indian and Russian crypto users.
- The malware infection progresses through multiple stages: a zip file containing a malicious executable dropper, VB Script, and Batch script files, followed by the execution of the clipper payload in the form of a DLL file.
- The MetaMask phishing domain utilized in this campaign was connected to an email address that was associated with a phishing campaign back in December 2022. This suggests the possibility of the same threat actor (TA) being responsible for both campaigns.
- The TA is specifically targeting Indian cryptocurrency users through the WazirX phishing site, exploiting the trust associated with the Indian Bitcoin and cryptocurrency exchange.
- The TA created a deceptive YouTube channel with a single video featuring the WazirX phishing site’s URL in its title. This video was copied from a YouTube account with over 150K subscribers, known for cryptocurrency-related content.
Overview
CRIL has identified a malware campaign aimed at cryptocurrency users. In this campaign, Threat Actors (TA) employed deceptive websites masquerading as legitimate cryptocurrency applications. Notably, we encountered several phishing sites targeting users of Metamask, Wazirx, Lunoapp, and Cryptonotify. All these phishing sites are distributing the same clipper payload, which we have named “XPhase Clipper”.
Clipper malware is a type of malicious software designed to intercept and modify data exchanged between the user and a legitimate application or service, in this case, cryptocurrency wallets or exchanges. The primary purpose of clipper malware is to replace cryptocurrency wallet addresses copied by users with addresses controlled by the attacker. When users intend to transfer cryptocurrency funds, they often copy and paste wallet addresses from one application to another. Clipper malware hijacks this process, allowing attackers to redirect funds to their wallets instead of the intended recipients.
In this campaign, we observed the malware infection progressing through several stages. Upon downloading the file from these phishing sites, it arrives as a zip file containing a malicious executable serving as a dropper. This dropper then proceeds to drop a VB Script and a Batch script file onto the system.
Subsequently, it triggers the VB Script to download the XPhase clipper payload and then executes the Batch script to establish persistence and launch the clipper payload. The clipper payload is in the form of a DLL file. The figure below shows the infection chain.
Figure 1 – Infection Chain
Campaign Analysis
During our investigations, we noted several domains, all of which were resolving to the IP address 31[.]31.198[.]206. This IP address is associated with an IP range managed by Reg.Ru Hosting in Russia.
Our research indicated the following phishing sites being used actively in this campaign:
- hxxps://metamaskapp[.]space
The figure below shows the MetaMask phishing site.
Figure 2 – MetaMask Phishing Site
Further investigation into this domain revealed that an email address linked to it – acc@metamaskapp[.]space – was previously utilized in December 2022 during a phishing campaign aimed at harvesting passphrases of Metamask users. The email ID was documented in an article by Fraud News, indicating a potential connection to the same threat actor (TA) responsible for the current campaign.
Figure 3 – Previous Attacks
- hxxps://cryptonotify[.]ru
The figure below shows the CrytpoNotify phishing site. As the default language of this site is Russian, this site is likely meant to target Russian-speaking users.
Figure 4 – Cryptonotify Phishing Site
- hxxps://wazirxapp[.]space/
The figure below shows the WazirX phishing site.
Figure 5 – WazirX Phishing Site
WazirX is an Indian trusted Bitcoin and cryptocurrency exchange. The TA appears to be specifically focusing on Indian cryptocurrency users through the WazirX phishing site. During our investigations, we came across a recently established YouTube channel with only one video currently uploaded.
Interestingly, the title of this video includes the URL of the WazirX phishing site. Upon closer examination, we discovered that the TA had cloned this video from a YouTube account with a substantial subscriber base of over 150,000.
This particular YouTube channel frequently shares content such as videos and shorts pertaining to cryptocurrency topics. It seems that the TA exploited this tactic to potentially entice unsuspecting users into their malicious schemes.
Figure 6 – YouTube Account
- hxxps://lunoapp[.]space/
The figure below shows the phishing site of Luno. Luno is a cryptocurrency exchange platform.
Figure 7 – Luno Phishing Site
- hxxps://coinsbot[.]space/
The figure below shows the Coinsbot phishing site.
Figure 8 – CoinsBot Phishing Site
Currently, it’s challenging to make a definitive assessment of the coinsbot site. While its URL suggests a potential targeting of CoinSpot users, the user interface of this phishing site closely resembles that of the TradeSanta site.
You can see our comparison of both URLs below.
Figure 9 – URL Comparison
- Furthermore, there is another domain, “coinbaseapp[.]space”, which resolved to the same IP address. While this domain appears to have been created to target cryptocurrency users, it currently lacks any content. We suspect that this domain may also be associated with the same campaign.
Technical Analysis
When a user downloads applications from the above-mentioned phishing sites, they receive a Zip file containing three components:
- The logo of the targeted Crypto application: This component is designed to deceive users by mimicking the branding of legitimate crypto applications.
- A fake Software License Text File: Within the Zip file is a text file that presents itself as a software license. However, it is entirely fabricated and aims to give a sense of legitimacy to the malicious content.
- A disguised executable file: Concealed within the Zip file is an executable file masquerading as a genuine crypto application. However, this file is malicious and acts as a dropper.
All these phishing sites are delivering XPhase Clipper. The figure below shows the content of Zip files.
Figure 10 – Content of Zip Files
For this analysis, we have examined the file downloaded from the domain wazirxapp[.]space. The executable file named WazirXv23.exe, as mentioned in the above image, has been identified as dropper malware.
The malware infection proceeds through several stages, ultimately leading to the execution of the XPhase clipper payload. The figure below shows the process tree.
Figure 11 – Process Tree
When executed by the user, this WazirXv23.exe file drops two additional files into the %temp% directory of the victim’s machine. The embedded files are as follows:
- runsys64.vbs
- runsys64.bat
The figure below shows the embedded files.
Figure 12 – Embedded Files
The figure below shows the files dropped in the %temp% directory.
Figure 13 – Dropped Files
The clipper employs a deceptive tactic where it displays a fake error message to distract users as it proceeds with its malicious operations in the background. The error message falsely indicates a compatibility issue, suggesting that the executable cannot run on the victim’s system. This acts as camouflage for the malware and effectively draws attention away from its malicious operations.
Figure 14 – Error Message
Afterward, the dropper file executes the “runsys64.vbs” file using the following command:
“C:\Windows\System32\wscript.exe”
C:\Users\User_Name\AppData\Local\Temp\\runsys64.vbs
This VBS file is designed to download XPhase clipper from “hxxps[:]//wazirxapp[.]space/app/sysrun[.]dll”. It creates a folder named “sysupdates” in the %temp% directory and saves the clipper payload named runsys64.dll to it. The figure below shows the GET request.
Figure 15 – GET Request
This VBS script ensures that the XPHase clipper gets downloaded once by checking if the file with the same name already exists in the folder created above. By checking for the existence of the file, the malware ensures that it doesn’t repeatedly download the same file.
The figure below shows the VBS script.
Figure 16 – VBS Script (runsys64.vbs)
Now VBS script executes the batch script named “runsys64.bat”. This batch script sets up and executes the following command to add a registry entry for running the clipper payload on system startup. This is often seen in malware as a persistence mechanism to execute malicious code automatically on system boot.
- reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v SoftwareUpdates /t REG_SZ /d “rundll32 “C:\Users\User-Name\AppData\Local\Temp\sysupdates\runsys64.dll”,runsys64″ /f
Then, it runs the Clipper payload using Rundll32. The figure below shows the batch script.
Figure 17 – Batch Script (runsys64.bat)
The batch script executes the following command:
“C:\Users\User_Name\AppData\Local\Temp\sysupdates\runsys64.dll”,runsys64
This command executes the XPhase clipper payload and invokes the runsys64 function. The XPhase clipper payload is a 32-bit C++ compiled DLL file.
The runsys64 function includes the following regex patterns to target cryptocurrency addresses:
| Cryptocurrency | Regular Expression |
| Bitcoin (BTC) | ^(bc1|[13])[a-zA-HJ-NP-Z0-9]{25,39}$ |
| Ethereum (ETH) | ^0x[a-fA-F0-9]{40,42}$ |
| Tether (USDT) | ^T[A-Za-z1-9]{33} |
| Dogecoin (DOGE) | ^(D|9)[5-9A-HJ-NP-U][1-9A-HJ-NP-Za-km-z]{32}$ |
These patterns are used to identify and replace crypto addresses found in the clipboard content with the TA’s crypto address.
It then enters a continuous loop where it retrieves the data of the clipboard using get_clipboard_content(). Upon finding a match, it replaces the user’s crypto address with TA’s crypto address by making a call to the set_clipboard_content() function. The figure below shows the hardcoded crypto addresses.
Figure 18 – TAs crypto addresses
The function then sleeps for 0.5 seconds before repeating the process. This looping mechanism allows for the continuous monitoring and potential manipulation of clipboard content, particularly targeting cryptocurrency-related data.
Figure 19 – runsys64 function.
Conclusion
This malware campaign targeting cryptocurrency users carries significant consequences across multiple fronts. Victims risk substantial financial loss as the clipper payload intercepts and modifies cryptocurrency wallet addresses, redirecting funds to the attackers’ wallets.
The TA behind the campaign exhibits a certain level of sophistication, employing deceptive websites posing as legitimate cryptocurrency applications to lure victims. Targeting Indian cryptocurrency users through platforms like WazirX suggests a specific focus on lucrative markets, indicative of regional knowledge or interests.
The TA’s persistence is evident through the reuse of domains associated with email addresses and tactics from previous phishing endeavors, highlighting adaptability and resourcefulness in sustaining campaigns over time. By leveraging content from reputable YouTube accounts with substantial subscriber bases, the TA demonstrates resourcefulness in propagating their malicious activities.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
- Do not download applications from unknown sources.
- Utilize endpoint detection and response (EDR) solutions to detect and block malicious activities on endpoints, such as the execution of suspicious files or attempts to modify system settings.
- Monitor network traffic for suspicious activity, such as connections to known malicious IP addresses or domains associated with the campaign.
- Employ behavioral analysis techniques to identify anomalous behavior indicative of malware infection, such as unusual file downloads, registry modifications, or clipboard manipulation.
MITRE ATT&CK® Techniques
| Tactic | Technique | Procedure |
| Resource Development (TA0042) | Establish Accounts (T1585) | Uses YouTube account for spreading the malicious URL |
| Initial Access (TA0001) | Phishing (T1566) | This malware reaches users via phishing sites. |
| Execution (TA0002) | User Execution (T1204) | The user needs to manually execute the file downloaded from the phishing site. |
| Execution (TA0002) | Command and Scripting Interpreter: Visual Basic (T1059.005) |
Uses Visual Basic Script to execute the batch script. |
| Execution (TA0002) | Command and Scripting Interpreter: Windows Command Shell (T1059.003) | Uses batch script to execute the clipper payload. |
| Persistence (TA0003) | Boot or Logon Autostart Execution (T1547.001) | Uses Registry run keys. |
| Defense Evasion (TA0005) | Masquerading (T1036.008) | Downloads file disguised as a legitimate application. |
| Collection (TA0009) | Clipboard Data (T1115) | Monitors clipboard data and replaces crypto address with their address. |
| Impact (TA0040) | Financial Theft (T1657) | Swaps crypto address to transfer funds to TA’s crypto address. |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type |
Description |
| hxxps://metamaskapp[.]space hxxps://cryptonotify[.]ru hxxps://wazirxapp[.]space/ hxxps://lunoapp[.]space/ hxxps://coinsbot[.]space/ |
URL | Phishing Sites |
| c69045a04115dabc6fe35ce6429f46f867eba680f3c863ff920daa9d1480e7a1 e116fa2900a6e0f1aa448be9dacd06ffa84f2adb48f03ad5c5b02fb1fb29f0b3 1a4e8c51f4673c52677707f42437a181572715719763ebd5e841e07bd78b6003 ef28d77d1719b65fffa8849b36e7f96ba239021b0a5eebf441af21cc7dabaa25 8ba85e0f0b7edddb4c2facadfde7b25162481c24944fced9901f8a86c0df8d72 |
SHA256 | Dropper |
| 3bd57de116ae8a4f7dc69ac6fa73358e2063ea2b9c90fcb5886c3ccd35f5c524 | SHA256 | XPhase Clipper |
| 6c8dc2c77bd5a4776348f7c63b81b3c9c1a521eda3099d19c3014db7a246bdde | SHA256 | runsys64.bat |
| e6be2e040d1c7e3c745e3c53d85aa141b936a8269ca165daeb85dc49c06c07a | SHA256 | runsys64.vbs |
| 31[.]31.198[.]206 | IP | Malicious IP |
Yara Rule
rule XPhase_Clipper{ meta:
author = "Cyble Research and Intelligence Labs"
description = "Detects XPhase Clipper"
date = "2024-02-07"
os = "Windows"
strings:
$a1 = "runsys64" fullword ascii
$a2 = "get_clipboard_content" fullword ascii
$a3 = "set_clipboard_content" fullword ascii
$a4 = "Replaced Matching Address" fullword nocase
condition:
uint16(0) == 0x5A4D and all of them
}
