Clipper crypto malware targets cryptocurrency users

bitcoin clipper stealer

Users of cryptocurrency are being targeted by the new Laplas Clipper malware using SmokeLoader

Cryptocurrency users are the target of the Spiking Clipper infection. The stealer, clipper, and ransomware families are just a few of the malware families that Cyble Research and Intelligence Labs (CRIL) has been watching closely.

A new clipper malware called Laplas Clipper that targets cryptocurrency users was recently discovered by CRIL, Since October 24, 2022, Cyble has reported finding over 180 Laplas samples, which indicates a widespread deployment.

SmokeLoader is a malware strain that carries popular malware family samples like SystemBC and Raccoon Stealer 2.0. SmokeLoader is a generic loader that has been seen in the public since about 2013. It can distribute additional payloads, like information-stealing malware and other implants, onto compromised devices, It was discovered to deliver a backdoor known as Amadey in July 2022.

Additionally, it has a web panel that enables users to add new wallet addresses as well as view statistics about the number of infected devices and the active wallet addresses used by the adversary. The clipper is capable of working with a variety of wallets, including those for Bitcoin, Ethereum, Bitcoin Cash, Litecoin, Dogecoin, Monero, Ripple, ZCash, Dash, Ronin, Tron, and Steam Trade URL, Clippers are also known as ClipBankers.

The Clipper family of malicious software specifically targets those who use cryptocurrencies. Laplas is an example of clipper malware, which aims to divert a virtual currency transaction meant for a legitimate receiver to one that belongs to the threat actor(TAs). By switching a victim's wallet address with a TAs wallet address, this virus hijacks a bitcoin transaction. When a user tries to send money using their cryptocurrency account, the transaction is forwarded to TAs account rather than the intended recipient. By keeping an eye on the victim's computer's clipboard, which stores copied data, the clipper malware carries out this swap. Every time a user copies something, the clipper checks to see if it includes any cryptocurrency wallet addresses. If it is, the virus swaps it out for the TAs wallet address, causing the user to lose money.

Technical analysis of operation

Laplas is fresh clipper malware that creates a wallet address that resembles the wallet address of the victim. The victim won't notice that the address is different, thereby increasing the likelihood that clipper action will be effective. For analysis, the clipper sample Sha256 with the following hash value was used: e5bc55ce98909742d2f1353b3bc8749ecc71206a5b8fa2e656d2a3ae186c1e63

The malware performed the clipper activities after loading a new module called "build.exe" in memory. To guarantee that only one instance of malware is running on the victim's machine at any given time, the module ("build.exe") first constructs a mutex. The new module is loaded into memory and a mutex is created in the main function.

The clipper then uses the following command line to build a copy of itself in the %appdata% folder and add a task schedule entry for persistence (which runs once every 1 minute for 416 days): The command line argument is "cmd.exe /C schtasks /create /tn 0 /tr "1" /st 00:00 /du 9999:59 /sc once /ri 1 /f"

The virus then first downloads the regex pattern, keeps track of the user's clipboard usage, and uses the downloaded regex pattern to check if the clipboard contains any bitcoin addresses. The following functions are used by the clipper to download a similar TA's wallet address to the remote server if it finds a wallet address in the clipboard data.


The malware retrieves all of the regex patterns from the C&C server using the GetRegex() function. Internally, this function runs SendRequest(), creating the URL below that downloads the regex pattern needed to locate the victim's cryptocurrency wallet address. “hxxp[:]/clipper[.]guru/bot/regex?key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34”


By establishing a connection to the URL shown below, which contains the system manual and API key, the malware uses the SetOnline() function to verify that the victim is online. “hxxp[:]//clipper[.]guru/bot/online?guid=DESKTOP-[Redacted] &key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34”


The malware makes advantage of the GetAddress() method to create the URL below using the API key and wallet address of the victim. The virus then establishes a connection to the newly created URL in order to download related TAs cryptocurrency wallet addresses from the distant server. “hxxp[:]/clipper[.]guru/bot/get?address=0x5B28638188D7D9be3cAfE4EB72D978a909a70466&key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34”

Final step

The victim's clipboard activity is actively monitored by the clipper, which replaces the wallet address anytime it notices that the victim is attempting to copy any wallet addresses for use in cryptocurrency transactions. As a result, the transaction is forwarded to TA's wallet address.


TAs are actively updating Smoke Loader, a well-known, extremely adaptable malware. It is modular malware, which means it may download other malware for enhanced functionality and receive new execution instructions from C&C servers. In this instance, the TAs employ three distinct malware families for nefarious motives including financial gain.

The RecordBreaker is a revived version of Raccoon Stealer that is used to steal confidential information, and the SystemBC is a versatile threat that combines proxy and remote access trojan characteristics.