Key Takeaways 

• Cyble Research and Intelligence Labs (CRIL) has uncovered an active malware campaign targeting cryptocurrency users. 
• In this campaign, the Threat Actors (TA) utilized deceptive websites posing as legitimate cryptocurrency applications, including Metamask, Wazirx, Lunoapp, and Cryptonotify. 
• All these malicious sites are distributing the same clipper payload – that CRIL has dubbed “XPhase Clipper” – designed to intercept and modify cryptocurrency wallet addresses copied by users. 
• The TA orchestrating this mass campaign primarily focuses on targeting cryptocurrency users worldwide, although a handful of phishing sites have been specifically tailored to exploit Indian and Russian crypto users. 
• The malware infection progresses through multiple stages: a zip file containing a malicious executable dropper, VB Script, and Batch script files, followed by the execution of the clipper payload in the form of a DLL file. 
• The MetaMask phishing domain utilized in this campaign was connected to an email address that was associated with a phishing campaign back in December 2022. This suggests the possibility of the same threat actor (TA) being responsible for both campaigns. 
• The TA is specifically targeting Indian cryptocurrency users through the WazirX phishing site, exploiting the trust associated with the Indian Bitcoin and cryptocurrency exchange. 
• The TA created a deceptive YouTube channel with a single video featuring the WazirX phishing site’s URL in its title. This video was copied from a YouTube account with over 150K subscribers, known for cryptocurrency-related content. 

Overview 

CRIL has identified a malware campaign aimed at cryptocurrency users. In this campaign, Threat Actors (TA) employed deceptive websites masquerading as legitimate cryptocurrency applications. Notably, we encountered several phishing sites targeting users of Metamask, Wazirx, Lunoapp, and Cryptonotify. All these phishing sites are distributing the same clipper payload, which we have named “XPhase Clipper”.  

Clipper malware is a type of malicious software designed to intercept and modify data exchanged between the user and a legitimate application or service, in this case, cryptocurrency wallets or exchanges. The primary purpose of clipper malware is to replace cryptocurrency wallet addresses copied by users with addresses controlled by the attacker. When users intend to transfer cryptocurrency funds, they often copy and paste wallet addresses from one application to another. Clipper malware hijacks this process, allowing attackers to redirect funds to their wallets instead of the intended recipients. 

In this campaign, we observed the malware infection progressing through several stages. Upon downloading the file from these phishing sites, it arrives as a zip file containing a malicious executable serving as a dropper. This dropper then proceeds to drop a VB Script and a Batch script file onto the system.  

Subsequently, it triggers the VB Script to download the XPhase clipper payload and then executes the Batch script to establish persistence and launch the clipper payload. The clipper payload is in the form of a DLL file. The figure below shows the infection chain.  

Figure 1 – Infection Chain 

Campaign Analysis 

During our investigations, we noted several domains, all of which were resolving to the IP address 31[.]31.198[.]206. This IP address is associated with an IP range managed by Reg.Ru Hosting in Russia.  

Our research indicated the following phishing sites being used actively in this campaign: 

• hxxps://metamaskapp[.]space 

The figure below shows the MetaMask phishing site. 

Figure 2 – MetaMask Phishing Site 

Further investigation into this domain revealed that an email address linked to it – acc@metamaskapp[.]space – was previously utilized in December 2022 during a phishing campaign aimed at harvesting passphrases of Metamask users. The email ID was documented in an article by Fraud News, indicating a potential connection to the same threat actor (TA) responsible for the current campaign. 

Figure 3 – Previous Attacks 

• hxxps://cryptonotify[.]ru  

The figure below shows the CrytpoNotify phishing site. As the default language of this site is Russian, this site is likely meant to target Russian-speaking users.  

Figure 4 – Cryptonotify Phishing Site 

• hxxps://wazirxapp[.]space/ 

The figure below shows the WazirX phishing site.  

Figure 5 – WazirX Phishing Site 

WazirX is an Indian trusted Bitcoin and cryptocurrency exchange. The TA appears to be specifically focusing on Indian cryptocurrency users through the WazirX phishing site. During our investigations, we came across a recently established YouTube channel with only one video currently uploaded.  

Interestingly, the title of this video includes the URL of the WazirX phishing site. Upon closer examination, we discovered that the TA had cloned this video from a YouTube account with a substantial subscriber base of over 150,000.  

This particular YouTube channel frequently shares content such as videos and shorts pertaining to cryptocurrency topics. It seems that the TA exploited this tactic to potentially entice unsuspecting users into their malicious schemes. 

Figure 6 – YouTube Account 

• hxxps://lunoapp[.]space/ 

The figure below shows the phishing site of Luno. Luno is a cryptocurrency exchange platform.  

Figure 7 – Luno Phishing Site 

• hxxps://coinsbot[.]space/ 

The figure below shows the Coinsbot phishing site.  

Figure 8 – CoinsBot Phishing Site 

Currently, it’s challenging to make a definitive assessment of the coinsbot site. While its URL suggests a potential targeting of CoinSpot users, the user interface of this phishing site closely resembles that of the TradeSanta site. 

You can see our comparison of both URLs below. 

Figure 9 – URL Comparison 

• Furthermore, there is another domain, “coinbaseapp[.]space”, which resolved to the same IP address. While this domain appears to have been created to target cryptocurrency users, it currently lacks any content. We suspect that this domain may also be associated with the same campaign. 

Technical Analysis 

When a user downloads applications from the above-mentioned phishing sites, they receive a Zip file containing three components: 

• The logo of the targeted Crypto application: This component is designed to deceive users by mimicking the branding of legitimate crypto applications. 
• A fake Software License Text File: Within the Zip file is a text file that presents itself as a software license. However, it is entirely fabricated and aims to give a sense of legitimacy to the malicious content. 
• A disguised executable file: Concealed within the Zip file is an executable file masquerading as a genuine crypto application. However, this file is malicious and acts as a dropper.  

All these phishing sites are delivering XPhase Clipper. The figure below shows the content of Zip files.  

Figure 10 – Content of Zip Files 

For this analysis, we have examined the file downloaded from the domain wazirxapp[.]space. The executable file named WazirXv23.exe, as mentioned in the above image, has been identified as dropper malware.   

The malware infection proceeds through several stages, ultimately leading to the execution of the XPhase clipper payload. The figure below shows the process tree. 

Figure 11 – Process Tree 

When executed by the user, this WazirXv23.exe file drops two additional files into the %temp% directory of the victim’s machine. The embedded files are as follows: 

• runsys64.vbs 
• runsys64.bat 

The figure below shows the embedded files.  

Figure 12 – Embedded Files 

The figure below shows the files dropped in the %temp% directory. 

Figure 13 – Dropped Files 

The clipper employs a deceptive tactic where it displays a fake error message to distract users as it proceeds with its malicious operations in the background. The error message falsely indicates a compatibility issue, suggesting that the executable cannot run on the victim’s system. This acts as camouflage for the malware and effectively draws attention away from its malicious operations.  

Figure 14 – Error Message 

Afterward, the dropper file executes the “runsys64.vbs” file using the following command: 

“C:\Windows\System32\wscript.exe”

C:\Users\User_Name\AppData\Local\Temp\\runsys64.vbs

This VBS file is designed to download XPhase clipper from “hxxps[:]//wazirxapp[.]space/app/sysrun[.]dll”. It creates a folder named “sysupdates” in the %temp% directory and saves the clipper payload named runsys64.dll to it. The figure below shows the GET request.  

Figure 15 – GET Request 

This VBS script ensures that the XPHase clipper gets downloaded once by checking if the file with the same name already exists in the folder created above. By checking for the existence of the file, the malware ensures that it doesn’t repeatedly download the same file. 

The figure below shows the VBS script. 

Figure 16 – VBS Script (runsys64.vbs) 

Now VBS script executes the batch script named “runsys64.bat”. This batch script sets up and executes the following command to add a registry entry for running the clipper payload on system startup. This is often seen in malware as a persistence mechanism to execute malicious code automatically on system boot.  

• reg  add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v SoftwareUpdates /t REG_SZ /d “rundll32 “C:\Users\User-Name\AppData\Local\Temp\sysupdates\runsys64.dll”,runsys64″ /f 

Then, it runs the Clipper payload using Rundll32. The figure below shows the batch script.  

Figure 17 – Batch Script (runsys64.bat) 

The batch script executes the following command: 

• rundll32

“C:\Users\User_Name\AppData\Local\Temp\sysupdates\runsys64.dll”,runsys64 

This command executes the XPhase clipper payload and invokes the runsys64 function. The XPhase clipper payload is a 32-bit C++ compiled DLL file. 

The runsys64 function includes the following regex patterns to target cryptocurrency addresses: 

Cryptocurrency	Regular Expression
Bitcoin (BTC)	^(bc1|[13])[a-zA-HJ-NP-Z0-9]{25,39}$
Ethereum (ETH)	^0x[a-fA-F0-9]{40,42}$
Tether (USDT)	^T[A-Za-z1-9]{33}
Dogecoin (DOGE)	^(D|9)[5-9A-HJ-NP-U][1-9A-HJ-NP-Za-km-z]{32}$

These patterns are used to identify and replace crypto addresses found in the clipboard content with the TA’s crypto address.  

It then enters a continuous loop where it retrieves the data of the clipboard using get_clipboard_content(). Upon finding a match, it replaces the user’s crypto address with TA’s crypto address by making a call to the set_clipboard_content() function. The figure below shows the hardcoded crypto addresses. 

Figure 18 – TAs crypto addresses 

The function then sleeps for 0.5 seconds before repeating the process. This looping mechanism allows for the continuous monitoring and potential manipulation of clipboard content, particularly targeting cryptocurrency-related data. 

Figure 19 – runsys64 function. 

Conclusion 

This malware campaign targeting cryptocurrency users carries significant consequences across multiple fronts. Victims risk substantial financial loss as the clipper payload intercepts and modifies cryptocurrency wallet addresses, redirecting funds to the attackers’ wallets.  

The TA behind the campaign exhibits a certain level of sophistication, employing deceptive websites posing as legitimate cryptocurrency applications to lure victims. Targeting Indian cryptocurrency users through platforms like WazirX suggests a specific focus on lucrative markets, indicative of regional knowledge or interests.  

The TA’s persistence is evident through the reuse of domains associated with email addresses and tactics from previous phishing endeavors, highlighting adaptability and resourcefulness in sustaining campaigns over time. By leveraging content from reputable YouTube accounts with substantial subscriber bases, the TA demonstrates resourcefulness in propagating their malicious activities.  

Our Recommendations 

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below: 

• Do not download applications from unknown sources. 
• Utilize endpoint detection and response (EDR) solutions to detect and block malicious activities on endpoints, such as the execution of suspicious files or attempts to modify system settings. 
• Monitor network traffic for suspicious activity, such as connections to known malicious IP addresses or domains associated with the campaign. 
• Employ behavioral analysis techniques to identify anomalous behavior indicative of malware infection, such as unusual file downloads, registry modifications, or clipboard manipulation. 

MITRE ATT&CK® Techniques   

Tactic	Technique	Procedure
Resource Development (TA0042)	Establish Accounts (T1585)	Uses YouTube account for spreading the malicious URL
Initial Access   (TA0001)	Phishing (T1566)	This malware reaches users via phishing sites.
Execution   (TA0002)	User Execution (T1204)	The user needs to manually execute the   file downloaded from the phishing site.
Execution    (TA0002)	Command and Scripting     Interpreter: Visual Basic     (T1059.005)	Uses Visual Basic Script to execute the batch script.
Execution    (TA0002)	Command and Scripting    Interpreter: Windows  Command Shell   (T1059.003)	Uses batch script to execute the clipper payload.
Persistence   (TA0003)	Boot or Logon Autostart  Execution (T1547.001)	Uses Registry run keys.
Defense  Evasion   (TA0005)	Masquerading (T1036.008)	Downloads file disguised as a legitimate   application.
Collection  (TA0009)	Clipboard Data  (T1115)	Monitors clipboard data and replaces   crypto address with their address.
Impact (TA0040)	Financial Theft (T1657)	Swaps crypto address to transfer  funds to TA’s crypto address.

Indicators of Compromise (IOCs)   

Indicators	Indicator    Type	Description
hxxps://metamaskapp[.]space  hxxps://cryptonotify[.]ru   hxxps://wazirxapp[.]space/  hxxps://lunoapp[.]space/  hxxps://coinsbot[.]space/	URL	Phishing Sites
c69045a04115dabc6fe35ce6429f46f867eba680f3c863ff920daa9d1480e7a1  e116fa2900a6e0f1aa448be9dacd06ffa84f2adb48f03ad5c5b02fb1fb29f0b3  1a4e8c51f4673c52677707f42437a181572715719763ebd5e841e07bd78b6003  ef28d77d1719b65fffa8849b36e7f96ba239021b0a5eebf441af21cc7dabaa25  8ba85e0f0b7edddb4c2facadfde7b25162481c24944fced9901f8a86c0df8d72	SHA256	Dropper
3bd57de116ae8a4f7dc69ac6fa73358e2063ea2b9c90fcb5886c3ccd35f5c524	SHA256	XPhase  Clipper
6c8dc2c77bd5a4776348f7c63b81b3c9c1a521eda3099d19c3014db7a246bdde	SHA256	runsys64.bat
e6be2e040d1c7e3c745e3c53d85aa141b936a8269ca165daeb85dc49c06c07a	SHA256	runsys64.vbs
31[.]31.198[.]206	IP	Malicious IP

Yara Rule

rule XPhase_Clipper{ 
meta: 
author = "Cyble Research and Intelligence Labs" 
description = "Detects XPhase Clipper" 
date = "2024-02-07" 
os = "Windows" 
strings: 
$a1  = "runsys64" fullword ascii 
$a2  = "get_clipboard_content" fullword ascii 
$a3  = "set_clipboard_content" fullword ascii 
$a4  = "Replaced Matching Address" fullword nocase 
condition: 
        uint16(0) == 0x5A4D and all of them 
} 

Related