Cryptocurrency Users Targeted By New Laplas Clipper Malware via SmokeLoader

VTA-00426 – Cryptocurrency Users Targeted By New Laplas Clipper Malware via SmokeLoader

Cryptocurrency users are being targeted by the New Laplas Clipper which is being delivered using Smoke Loader. SmokeLoader’s purpose is to download and load other malware into the victim’s system.It is either distributed via malicious documents such as Word/PDF documents that sent through spam emails, or targeted spear-phishing attacks. Clippers, also known as ClipBankers, is a type of malware that Microsoft refers to as cryware. They are made to steal cryptocurrency by closely monitoring a victim’s clipboard activity and replacing any existing wallet addresses with attacker-controlled addresses.

In a TLS client, this can be triggered by connecting to a malicious server. For the vulnerability CVE-2022-3602, an attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Versions 3.0.0 through 3.0.6 of the library are affected by the new flaws, which has been remediated in version 3.0.7. It’s worth noting that the commonly deployed OpenSSL 1.x versions are not vulnerable.


Attack Surfaces:

Command and Control, Defense Evasion, Discovery, Execution, Persistence, Privilege Escalation

User Execution, Scheduled Task/Job, Process Injection, Software Packing,Process Discovery,Non-Standard Port

Active Defense Tactics:

Active Defense Techniques:

Indicator of Compromise:

SuperPRO’s Threat Countermeasures Procedures: 
1. To add the IOC signature into endpoint security protection as the custom threat detection rules. Refer to the provided IOC to create a custom rule to block the respective File Hashes and Hostname, if necessary.
2. Ensure that the latest security patches have been installed on your device
3. Enable spam/phishing email protection using email security solution
4. Be careful when performing cryptocurrency transaction to ensure there is no changes on the actual wallet addresses.
5. The seeds for wallets should be stored safely and encrypted on any devices.

Contributed by:  hui

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>