Clipboard Data
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
For example, on Windows adversaries can access clipboard data by using clip.exe
or Get-Clipboard
.(Citation: MSDN Clipboard)(Citation: clip_win_server)(Citation: CISA_AA21_200B) Additionally, adversaries may monitor then replace users’ clipboard with their data (e.g., Transmitted Data Manipulation).(Citation: mining_ruby_reversinglabs)
macOS and Linux also have commands, such as pbpaste
, to grab clipboard contents.(Citation: Operating with EmPyre)
Procedure Examples |
|
Name | Description |
---|---|
Agent Tesla |
Agent Tesla can steal data from the victim’s clipboard.(Citation: Talos Agent Tesla Oct 2018)(Citation: Fortinet Agent Tesla April 2018)(Citation: Fortinet Agent Tesla June 2017)(Citation: Bitdefender Agent Tesla April 2020) |
APT39 |
APT39 has used tools capable of stealing contents of the clipboard.(Citation: Symantec Chafer February 2018) |
RTM |
RTM collects data from the clipboard.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019) |
SILENTTRINITY |
SILENTTRINITY can monitor Clipboard text and can use `System.Windows.Forms.Clipboard.GetText()` to collect data from the clipboard.(Citation: Github_SILENTTRINITY) |
DarkComet |
DarkComet can steal data from the clipboard.(Citation: Malwarebytes DarkComet March 2018) |
Astaroth |
Astaroth collects information from the clipboard by using the OpenClipboard() and GetClipboardData() libraries. (Citation: Cybereason Astaroth Feb 2019) |
TinyZBot |
TinyZBot contains functionality to collect information from the clipboard.(Citation: Cylance Cleaver) |
Empire |
Empire can harvest clipboard data on both Windows and macOS systems.(Citation: Github PowerShell Empire) |
Attor |
Attor has a plugin that collects data stored in the Windows clipboard by using the OpenClipboard and GetClipboardData APIs.(Citation: ESET Attor Oct 2019) |
Remcos |
Remcos steals and modifies data from the clipboard.(Citation: Riskiq Remcos Jan 2018) |
VERMIN |
VERMIN collects data stored in the clipboard.(Citation: Unit 42 VERMIN Jan 2018) |
During Operation Wocao, threat actors collected clipboard data in plaintext.(Citation: FoxIT Wocao December 2019) |
|
CHIMNEYSWEEP |
CHIMNEYSWEEP can capture content from the clipboard.(Citation: Mandiant ROADSWEEP August 2022) |
KONNI |
KONNI had a feature to steal data from the clipboard.(Citation: Talos Konni May 2017) |
Remexi |
Remexi collects text from the clipboard.(Citation: Securelist Remexi Jan 2019) |
MacSpy |
MacSpy can steal clipboard contents.(Citation: objsee mac malware 2017) |
Cadelspy |
Cadelspy has the ability to steal data from the clipboard.(Citation: Symantec Chafer Dec 2015) |
Koadic |
Koadic can retrieve the current content of the user clipboard.(Citation: Github Koadic) |
CosmicDuke |
CosmicDuke copies and exfiltrates the clipboard contents every 30 seconds.(Citation: F-Secure Cosmicduke) |
Clambling |
Clambling has the ability to capture and store clipboard data.(Citation: Trend Micro DRBControl February 2020)(Citation: Talent-Jump Clambling February 2020) |
DarkTortilla |
DarkTortilla can download a clipboard information stealer module.(Citation: Secureworks DarkTortilla Aug 2022) |
Metamorfo |
Metamorfo has a function to hijack data from the clipboard by monitoring the contents of the clipboard and replacing the cryptocurrency wallet with the attacker's.(Citation: Fortinet Metamorfo Feb 2020)(Citation: ESET Casbaneiro Oct 2019) |
Machete |
Machete hijacks the clipboard data by creating an overlapped window that listens to keyboard events.(Citation: ESET Machete July 2019)(Citation: Securelist Machete Aug 2014) |
JHUHUGIT |
A JHUHUGIT variant accesses a screenshot saved in the clipboard and converts it to a JPG image.(Citation: Unit 42 Playbook Dec 2017) |
ROKRAT |
ROKRAT can extract clipboard data from a compromised host.(Citation: Volexity InkySquid RokRAT August 2021) |
MgBot |
MgBot can capture clipboard data.(Citation: ESET EvasivePanda 2023)(Citation: Symantec Daggerfly 2023) |
Grandoreiro |
Grandoreiro can capture clipboard data from a compromised host.(Citation: IBM Grandoreiro April 2020) |
Helminth |
The executable version of Helminth has a module to log clipboard contents.(Citation: Palo Alto OilRig May 2016) |
Catchamas |
Catchamas steals data stored in the clipboard.(Citation: Symantec Catchamas April 2018) |
jRAT |
jRAT can capture clipboard data.(Citation: Kaspersky Adwind Feb 2016) |
Explosive |
Explosive has a function to use the OpenClipboard wrapper.(Citation: CheckPoint Volatile Cedar March 2015) |
APT38 |
APT38 used a Trojan called KEYLIME to collect data from the clipboard.(Citation: FireEye APT38 Oct 2018) |
DarkGate |
DarkGate starts a thread on execution that captures clipboard data and logs it to a predefined log file.(Citation: Ensilo Darkgate 2018) |
Zeus Panda |
Zeus Panda can hook GetClipboardData function to watch for clipboard pastes to collect.(Citation: GDATA Zeus Panda June 2017) |
Melcoz |
Melcoz can monitor content saved to the clipboard.(Citation: Securelist Brazilian Banking Malware July 2020) |
RunningRAT |
RunningRAT contains code to open and copy data from the clipboard.(Citation: McAfee Gold Dragon) |
Mispadu |
Mispadu has the ability to capture and replace Bitcoin wallet data in the clipboard on a compromised host.(Citation: ESET Security Mispadu Facebook Ads 2019) |
FlawedAmmyy |
FlawedAmmyy can collect clipboard data.(Citation: Korean FSI TA505 2020) |
MarkiRAT |
MarkiRAT can capture clipboard content.(Citation: Kaspersky Ferocious Kitten Jun 2021) |
Operation Wocao |
Operation Wocao has collected clipboard data in plaintext.(Citation: FoxIT Wocao December 2019) |
TajMahal |
TajMahal has the ability to steal data from the clipboard of an infected host.(Citation: Kaspersky TajMahal April 2019) |
Mitigations |
|
Mitigation | Description |
---|---|
Clipboard Data Mitigation |
Instead of blocking software based on clipboard capture behavior, identify potentially malicious software that may contain this functionality, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP) |
Detection
Access to the clipboard is a legitimate function of many applications on an operating system. If an organization chooses to monitor for this behavior, then the data will likely need to be correlated against other suspicious or non-user-driven activity.
References
- Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
- rvrsh3ll. (2016, May 18). Operating with EmPyre. Retrieved July 12, 2017.
- Microsoft. (n.d.). About the Clipboard. Retrieved March 29, 2016.
- Microsoft, JasonGerend, et al. (2023, February 3). clip. Retrieved June 21, 2022.
- Maljic, T. (2020, April 16). Mining for malicious Ruby gems. Retrieved October 15, 2022.
- CISA. (2021, August 20). Alert (AA21-200B) Chinese State-Sponsored Cyber Operations: Observed TTPs. Retrieved June 21, 2022.
- Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020.
- Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018.
- Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018.
- Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018.
- Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020.
- Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.
- Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
- byt3bl33d3r. (n.d.). SILENTTRINITY. Retrieved September 12, 2024.
- Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
- Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.
- Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.
- Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
- Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
- Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018.
- Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
- Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
- Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
- Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.
- Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.
- Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
- Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019.
- Magius, J., et al. (2017, July 19). Koadic. Retrieved September 27, 2024.
- F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014.
- Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021.
- Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
- Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022.
- ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021.
- Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020.
- Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019.
- ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
- Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
- Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021.
- Threat Hunter Team. (2023, April 20). Daggerfly: APT Actor Targets Telecoms Company in Africa. Retrieved July 25, 2024.
- Facundo Muñoz. (2023, April 26). Evasive Panda APT group delivers malware via updates for popular Chinese software. Retrieved July 25, 2024.
- Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020.
- Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
- Balanza, M. (2018, April 02). Infostealer.Catchamas. Retrieved July 10, 2018.
- Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
- Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021.
- FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.
- Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.
- Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.
- GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.
- Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
- ESET Security. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved March 13, 2024.
- Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
- GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.
- GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.