Threat researchers have found a large-scale operation of Clipminer, a new cryptocurrency mining virus that brought its operators at least $1.7 million in transaction hijacking.
Clipminer is based on the KryptoCibule malware, according to researchers at Symantec.
Both trojans are designed to steal bitcoin wallets, hijack transactions, and mine cryptocurrency on affected computers.
Symantec discovered 4375 bitcoin wallet addresses thought to have received stolen funds while investigating this new operation.
Security experts have termed the new trojan Clipminer after mapping its activity, which has grown in size since it was discovered.
How does Clipminer work?
Clipminer arrives as a WinRAR archive on the host system. Its goal is to profile the host and use the Tor network to download and install the Clipminer payload.
Upon execution, the malware produces scheduled activities for persistence and also creates an empty registry key, likely as an infection marker to prevent re-infecting the same host.
The payload then monitors all keyboard and mouse actions. It also looks for any analysis programs that are operating in the background.
Clipminer starts an XMRig Monero miner configured to utilize all available CPU threads when there is no activity on the host side
Simultaneously, the virus watches the clipboard for copied bitcoin addresses and replaces them with those belonging to the attacker on-the-fly, redirecting funds.
According to Symantec, the first Clipminer samples began circulating in January 2021. The malware is known to leverage P2P networks, torrent indexers, YouTube videos, as well as pirated games and software cracks. To avoid becoming infected with malware such as Clipminer, avoid downloading software from unknown sources. Also, verify the supplied cryptocurrency wallet address before initiating the transaction to protect yourself against clipboard hijackers.