ClipBanker Trojan Exploits Proxifier Search Terms to Initiate Infection
The Kaspersky research team has identified a Trojan leveraging a long infection chain that begins with searches for “Proxifier,” a legitimate proxy service often used in secured environments. The attackers have crafted a malicious strategy around the genuine Proxifier software developed by VentoByte, misleading users into downloading a Trojan wrapped around the legitimate installer.
The initial infection occurs when users are directed to a GitHub repository containing a harmful executable labeled as a Proxifier installer. This executable manages to insert itself into the user’s system by modifying Microsoft Defender settings, adding exclusions for specific processes and file types. The infection process employs sophisticated techniques, including creating small donor processes to maintain stealth and executing PowerShell scripts to further the attack without leaving significant traces on disk drives.
The infection’s complexity escalates as the Trojan proceeds to download additional payloads hosted on various online resources, including Pastebin and GitHub. This stage of the attack employs a series of power shells and obfuscated scripts to launch the final ClipBanker payload, which primarily focuses on monitoring and modifying clipboard contents to replace cryptocurrency wallet addresses with those controlled by the attackers.
Defensive Context
This type of attack primarily impacts users who may be searching for proxy solutions, particularly in regions where legitimate software is often pirated or obtained from unverified sources. Users of development environments or workers who require proxy services may find themselves at high risk if they do not use trusted sources for software downloads. Conversely, organizations that enforce strict download policies and adequately educate users about malware risks may be less affected.
Why This Matters
The ClipBanker Trojan represents a significant threat to cryptocurrency users, particularly in countries where there is high engagement with blockchain technologies. The infection demonstrates a clear tension between users’ need for legitimate software and the exploitation of that need by malicious actors.
Defender Considerations
Defenders should focus on monitoring user search behaviors related to proxy services and enforcing strict policies on software downloads. Malicious URLs identified in the campaign should be blocked to prevent users from inadvertently reaching harmful sites. Specifically, attention should be paid to the deployment of defense strategies against fileless malware techniques employed by this Trojan.
Indicators of Compromise (IOCs)
Malicious URLs:
- https[:]//pastebin[.]com/raw/FmpsDAtQ
- https[:]//github[.]com/lukecodix/Proxifier/releases/download/4.12/Proxifier.zip
File Hashes:
- 34a0f70ab100c47caaba7a5c85448e3d
- 7528bf597fd7764fcb7ec06512e073e0
- 8354223cd6198b05904337b5dff7772b
This intelligence highlights the necessity for organizations to remain vigilant against emerging threats that exploit common user behaviors and software needs.
