Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Clipboard Data

Adversaries may collect data stored in the clipboard from users copying information within or between applications. For example, on Windows adversaries can access clipboard data by using clip.exe or Get-Clipboard.(Citation: MSDN Clipboard)(Citation: clip_win_server)(Citation: CISA_AA21_200B) Additionally, adversaries may monitor then replace users’ clipboard with their data (e.g., Transmitted Data Manipulation).(Citation: mining_ruby_reversinglabs) macOS and Linux also have commands, such as pbpaste, to grab clipboard contents.(Citation: Operating with EmPyre)

ID: T1115
Tactic(s): Collection
Platforms: Linux, macOS, Windows
Data Sources: Command: Command Execution, Process: OS API Execution
Version: 1.2
Created: 31 May 2017
Last Modified: 14 Apr 2023

Procedure Examples

Name Description
Agent Tesla

Agent Tesla can steal data from the victim’s clipboard.(Citation: Talos Agent Tesla Oct 2018)(Citation: Fortinet Agent Tesla April 2018)(Citation: Fortinet Agent Tesla June 2017)(Citation: Bitdefender Agent Tesla April 2020)

APT39

APT39 has used tools capable of stealing contents of the clipboard.(Citation: Symantec Chafer February 2018)

RTM

RTM collects data from the clipboard.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019)

SILENTTRINITY

SILENTTRINITY can monitor Clipboard text and can use `System.Windows.Forms.Clipboard.GetText()` to collect data from the clipboard.(Citation: Github_SILENTTRINITY)

DarkComet

DarkComet can steal data from the clipboard.(Citation: Malwarebytes DarkComet March 2018)

Astaroth

Astaroth collects information from the clipboard by using the OpenClipboard() and GetClipboardData() libraries. (Citation: Cybereason Astaroth Feb 2019)

TinyZBot

TinyZBot contains functionality to collect information from the clipboard.(Citation: Cylance Cleaver)

Empire

Empire can harvest clipboard data on both Windows and macOS systems.(Citation: Github PowerShell Empire)

Attor

Attor has a plugin that collects data stored in the Windows clipboard by using the OpenClipboard and GetClipboardData APIs.(Citation: ESET Attor Oct 2019)

Remcos

Remcos steals and modifies data from the clipboard.(Citation: Riskiq Remcos Jan 2018)

VERMIN

VERMIN collects data stored in the clipboard.(Citation: Unit 42 VERMIN Jan 2018)

During Operation Wocao, threat actors collected clipboard data in plaintext.(Citation: FoxIT Wocao December 2019)

CHIMNEYSWEEP

CHIMNEYSWEEP can capture content from the clipboard.(Citation: Mandiant ROADSWEEP August 2022)

KONNI

KONNI had a feature to steal data from the clipboard.(Citation: Talos Konni May 2017)

Remexi

Remexi collects text from the clipboard.(Citation: Securelist Remexi Jan 2019)

MacSpy

MacSpy can steal clipboard contents.(Citation: objsee mac malware 2017)

Cadelspy

Cadelspy has the ability to steal data from the clipboard.(Citation: Symantec Chafer Dec 2015)

Koadic

Koadic can retrieve the current content of the user clipboard.(Citation: Github Koadic)

CosmicDuke

CosmicDuke copies and exfiltrates the clipboard contents every 30 seconds.(Citation: F-Secure Cosmicduke)

Clambling

Clambling has the ability to capture and store clipboard data.(Citation: Trend Micro DRBControl February 2020)(Citation: Talent-Jump Clambling February 2020)

DarkTortilla

DarkTortilla can download a clipboard information stealer module.(Citation: Secureworks DarkTortilla Aug 2022)

Metamorfo

Metamorfo has a function to hijack data from the clipboard by monitoring the contents of the clipboard and replacing the cryptocurrency wallet with the attacker's.(Citation: Fortinet Metamorfo Feb 2020)(Citation: ESET Casbaneiro Oct 2019)

Machete

Machete hijacks the clipboard data by creating an overlapped window that listens to keyboard events.(Citation: ESET Machete July 2019)(Citation: Securelist Machete Aug 2014)

JHUHUGIT

A JHUHUGIT variant accesses a screenshot saved in the clipboard and converts it to a JPG image.(Citation: Unit 42 Playbook Dec 2017)

ROKRAT

ROKRAT can extract clipboard data from a compromised host.(Citation: Volexity InkySquid RokRAT August 2021)

MgBot

MgBot can capture clipboard data.(Citation: ESET EvasivePanda 2023)(Citation: Symantec Daggerfly 2023)

Grandoreiro

Grandoreiro can capture clipboard data from a compromised host.(Citation: IBM Grandoreiro April 2020)

Helminth

The executable version of Helminth has a module to log clipboard contents.(Citation: Palo Alto OilRig May 2016)

Catchamas

Catchamas steals data stored in the clipboard.(Citation: Symantec Catchamas April 2018)

jRAT

jRAT can capture clipboard data.(Citation: Kaspersky Adwind Feb 2016)

Explosive

Explosive has a function to use the OpenClipboard wrapper.(Citation: CheckPoint Volatile Cedar March 2015)

APT38

APT38 used a Trojan called KEYLIME to collect data from the clipboard.(Citation: FireEye APT38 Oct 2018)

DarkGate

DarkGate starts a thread on execution that captures clipboard data and logs it to a predefined log file.(Citation: Ensilo Darkgate 2018)

Zeus Panda

Zeus Panda can hook GetClipboardData function to watch for clipboard pastes to collect.(Citation: GDATA Zeus Panda June 2017)

Melcoz

Melcoz can monitor content saved to the clipboard.(Citation: Securelist Brazilian Banking Malware July 2020)

RunningRAT

RunningRAT contains code to open and copy data from the clipboard.(Citation: McAfee Gold Dragon)

Mispadu

Mispadu has the ability to capture and replace Bitcoin wallet data in the clipboard on a compromised host.(Citation: ESET Security Mispadu Facebook Ads 2019)

FlawedAmmyy

FlawedAmmyy can collect clipboard data.(Citation: Korean FSI TA505 2020)

MarkiRAT

MarkiRAT can capture clipboard content.(Citation: Kaspersky Ferocious Kitten Jun 2021)

Operation Wocao

Operation Wocao has collected clipboard data in plaintext.(Citation: FoxIT Wocao December 2019)

TajMahal

TajMahal has the ability to steal data from the clipboard of an infected host.(Citation: Kaspersky TajMahal April 2019)

Mitigations

Mitigation Description
Clipboard Data Mitigation

Instead of blocking software based on clipboard capture behavior, identify potentially malicious software that may contain this functionality, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Detection

Access to the clipboard is a legitimate function of many applications on an operating system. If an organization chooses to monitor for this behavior, then the data will likely need to be correlated against other suspicious or non-user-driven activity.

References

  1. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  2. rvrsh3ll. (2016, May 18). Operating with EmPyre. Retrieved July 12, 2017.
  3. Microsoft. (n.d.). About the Clipboard. Retrieved March 29, 2016.
  4. Microsoft, JasonGerend, et al. (2023, February 3). clip. Retrieved June 21, 2022.
  5. Maljic, T. (2020, April 16). Mining for malicious Ruby gems. Retrieved October 15, 2022.
  6. CISA. (2021, August 20). Alert (AA21-200B) Chinese State-Sponsored Cyber Operations: Observed TTPs. Retrieved June 21, 2022.
  7. Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020.
  8. Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018.
  9. Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018.
  10. Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018.
  11. Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020.
  12. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.
  13. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  14. byt3bl33d3r. (n.d.). SILENTTRINITY. Retrieved September 12, 2024.
  15. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
  16. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.
  17. Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.
  18. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  19. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  20. Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018.
  21. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
  22. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  23. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
  24. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.
  25. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.
  26. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  27. Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019.
  28. Magius, J., et al. (2017, July 19). Koadic. Retrieved September 27, 2024.
  29. F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014.
  30. Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021.
  31. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  32. Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022.
  33. ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021.
  34. Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020.
  35. Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019.
  36. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  37. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  38. Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021.
  39. Threat Hunter Team. (2023, April 20). Daggerfly: APT Actor Targets Telecoms Company in Africa. Retrieved July 25, 2024.
  40. Facundo Muñoz. (2023, April 26). Evasive Panda APT group delivers malware via updates for popular Chinese software. Retrieved July 25, 2024.
  41. Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020.
  42. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  43. Balanza, M. (2018, April 02). Infostealer.Catchamas. Retrieved July 10, 2018.
  44. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
  45. Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021.
  46. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.
  47. Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.
  48. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.
  49. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.
  50. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
  51. ESET Security. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved March 13, 2024.
  52. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
  53. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.
  54. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.