Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Technique Clipboard Data
RU
Риски
Каталоги
MITRE ATT&CK
Техника
Clipboard Data
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Clipboard Data

Adversaries may collect data stored in the clipboard from users copying information within or between applications. For example, on Windows adversaries can access clipboard data by using clip.exe or Get-Clipboard.(Citation: MSDN Clipboard)(Citation: clip_win_server)(Citation: CISA_AA21_200B) Additionally, adversaries may monitor then replace users’ clipboard with their data (e.g., Transmitted Data Manipulation).(Citation: mining_ruby_reversinglabs) macOS and Linux also have commands, such as pbpaste, to grab clipboard contents.(Citation: Operating with EmPyre)

ID: T1115
Tactic(s): Collection
Platforms: Linux, Windows, macOS
Data Sources: Command: Command Execution, Process: OS API Execution
Version: 1.2
Created: 31 May 2017
Last Modified: 15 Apr 2025

Procedure Examples
Name Description
SILENTTRINITY

SILENTTRINITY can monitor Clipboard text and can use `System.Windows.Forms.Clipboard.GetText()` to collect data from the clipboard.(Citation: Github_SILENTTRINITY)

Zeus Panda

Zeus Panda can hook GetClipboardData function to watch for clipboard pastes to collect.(Citation: GDATA Zeus Panda June 2017)
CosmicDuke

CosmicDuke copies and exfiltrates the clipboard contents every 30 seconds.(Citation: F-Secure Cosmicduke)
Empire

Empire can harvest clipboard data on both Windows and macOS systems.(Citation: Github PowerShell Empire)
Machete

Machete hijacks the clipboard data by creating an overlapped window that listens to keyboard events.(Citation: ESET Machete July 2019)(Citation: Securelist Machete Aug 2014)

FlawedAmmyy

FlawedAmmyy can collect clipboard data.(Citation: Korean FSI TA505 2020)
Mispadu

Mispadu has the ability to capture and replace Bitcoin wallet data in the clipboard on a compromised host.(Citation: ESET Security Mispadu Facebook Ads 2019)
VERMIN

VERMIN collects data stored in the clipboard.(Citation: Unit 42 VERMIN Jan 2018)
MarkiRAT

MarkiRAT can capture clipboard content.(Citation: Kaspersky Ferocious Kitten Jun 2021)
DarkComet

DarkComet can steal data from the clipboard.(Citation: Malwarebytes DarkComet March 2018)
CHIMNEYSWEEP

CHIMNEYSWEEP can capture content from the clipboard.(Citation: Mandiant ROADSWEEP August 2022)
DarkTortilla

DarkTortilla can download a clipboard information stealer module.(Citation: Secureworks DarkTortilla Aug 2022)
ROKRAT

ROKRAT can extract clipboard data from a compromised host.(Citation: Volexity InkySquid RokRAT August 2021)
RunningRAT

RunningRAT contains code to open and copy data from the clipboard.(Citation: McAfee Gold Dragon)
Explosive

Explosive has a function to use the OpenClipboard wrapper.(Citation: CheckPoint Volatile Cedar March 2015)

Clambling

Clambling has the ability to capture and store clipboard data.(Citation: Trend Micro DRBControl February 2020)(Citation: Talent-Jump Clambling February 2020)
Agent Tesla

Agent Tesla can steal data from the victim’s clipboard.(Citation: Talos Agent Tesla Oct 2018)(Citation: Fortinet Agent Tesla April 2018)(Citation: Fortinet Agent Tesla June 2017)(Citation: Bitdefender Agent Tesla April 2020)
DarkGate

DarkGate starts a thread on execution that captures clipboard data and logs it to a predefined log file.(Citation: Ensilo Darkgate 2018)(Citation: Rapid7 BlackBasta 2024)
Remcos

Remcos steals and modifies data from the clipboard.(Citation: Riskiq Remcos Jan 2018)
Metamorfo

Metamorfo has a function to hijack data from the clipboard by monitoring the contents of the clipboard and replacing the cryptocurrency wallet with the attacker's.(Citation: Fortinet Metamorfo Feb 2020)(Citation: ESET Casbaneiro Oct 2019)
KONNI

KONNI had a feature to steal data from the clipboard.(Citation: Talos Konni May 2017)
JHUHUGIT

A JHUHUGIT variant accesses a screenshot saved in the clipboard and converts it to a JPG image.(Citation: Unit 42 Playbook Dec 2017)
Catchamas

Catchamas steals data stored in the clipboard.(Citation: Symantec Catchamas April 2018)
Attor

Attor has a plugin that collects data stored in the Windows clipboard by using the OpenClipboard and GetClipboardData APIs.(Citation: ESET Attor Oct 2019)
RTM

RTM collects data from the clipboard.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019)
Grandoreiro

Grandoreiro can capture clipboard data from a compromised host.(Citation: IBM Grandoreiro April 2020)
XLoader

XLoader can collect data stored in the victim's clipboard.(Citation: Google XLoader 2017)(Citation: Netskope XLoader 2022)
MgBot

MgBot can capture clipboard data.(Citation: ESET EvasivePanda 2023)(Citation: Symantec Daggerfly 2023)
Cadelspy

Cadelspy has the ability to steal data from the clipboard.(Citation: Symantec Chafer Dec 2015)
TajMahal

TajMahal has the ability to steal data from the clipboard of an infected host.(Citation: Kaspersky TajMahal April 2019)

TinyZBot

TinyZBot contains functionality to collect information from the clipboard.(Citation: Cylance Cleaver)
Koadic

Koadic can retrieve the current content of the user clipboard.(Citation: Github Koadic)
Melcoz

Melcoz can monitor content saved to the clipboard.(Citation: Securelist Brazilian Banking Malware July 2020)
Remexi

Remexi collects text from the clipboard.(Citation: Securelist Remexi Jan 2019)
Astaroth

Astaroth collects information from the clipboard by using the OpenClipboard() and GetClipboardData() libraries. (Citation: Cybereason Astaroth Feb 2019)
jRAT

jRAT can capture clipboard data.(Citation: Kaspersky Adwind Feb 2016)
Helminth

The executable version of Helminth has a module to log clipboard contents.(Citation: Palo Alto OilRig May 2016)
MacSpy

MacSpy can steal clipboard contents.(Citation: objsee mac malware 2017)
Operation Wocao

Operation Wocao has collected clipboard data in plaintext.(Citation: FoxIT Wocao December 2019)
APT39

APT39 has used tools capable of stealing contents of the clipboard.(Citation: Symantec Chafer February 2018)
APT38

APT38 used a Trojan called KEYLIME to collect data from the clipboard.(Citation: FireEye APT38 Oct 2018)
OilRig

OilRig has used infostealer tools to copy clipboard data.(Citation: Symantec Crambus OCT 2023)

Mitigations
Mitigation Description
Clipboard Data Mitigation

Instead of blocking software based on clipboard capture behavior, identify potentially malicious software that may contain this functionality, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Detection

Access to the clipboard is a legitimate function of many applications on an operating system. If an organization chooses to monitor for this behavior, then the data will likely need to be correlated against other suspicious or non-user-driven activity.

References

  1. Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021.
  2. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.
  3. Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021.
  4. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
  5. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
  6. Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.
  7. Magius, J., et al. (2017, July 19). Koadic. Retrieved September 27, 2024.
  8. Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022.
  9. Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018.
  10. Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018.
  11. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.
  12. Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020.
  13. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
  14. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
  15. Symantec Threat Hunter Team. (2023, October 19). Crambus: New Campaign Targets Middle Eastern Government. Retrieved November 27, 2024.
  16. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  17. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  18. Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021.
  19. Balanza, M. (2018, April 02). Infostealer.Catchamas. Retrieved November 17, 2024.
  20. Facundo Muñoz. (2023, April 26). Evasive Panda APT group delivers malware via updates for popular Chinese software. Retrieved July 25, 2024.
  21. Nart Villeneuve, Randi Eitzman, Sandor Nemes & Tyler Dean, Google Cloud. (2017, October 5). Significant FormBook Distribution Campaigns Impacting the U.S. and South Korea. Retrieved March 11, 2025.
  22. Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018.
  23. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  24. CISA. (2021, August 20). Alert (AA21-200B) Chinese State-Sponsored Cyber Operations: Observed TTPs. Retrieved June 21, 2022.
  25. Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019.
  26. Microsoft, JasonGerend, et al. (2023, February 3). clip. Retrieved June 21, 2022.
  27. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.
  28. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  29. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  30. McGraw, T. (2024, December 4). Black Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom Malware. Retrieved December 9, 2024.
  31. Microsoft. (n.d.). About the Clipboard. Retrieved March 29, 2016.
  32. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
  33. Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020.
  34. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  35. Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.
  36. ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021.
  37. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.
  38. ESET Security. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved March 13, 2024.
  39. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 17, 2024.
  40. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
  41. F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014.
  42. byt3bl33d3r. (n.d.). SILENTTRINITY. Retrieved September 12, 2024.
  43. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.
  44. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.
  45. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  46. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  47. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.
  48. rvrsh3ll. (2016, May 18). Operating with EmPyre. Retrieved July 12, 2017.
  49. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  50. Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020.
  51. Threat Hunter Team. (2023, April 20). Daggerfly: APT Actor Targets Telecoms Company in Africa. Retrieved July 25, 2024.
  52. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
  53. Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018.
  54. Gustavo Palazolo, Netskope. (2022, March 11). New Formbook Campaign Delivered Through Phishing Emails. Retrieved March 11, 2025.
  55. Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020.
  56. Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019.
  57. Maljic, T. (2020, April 16). Mining for malicious Ruby gems. Retrieved October 15, 2022.
  58. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.