Данные из буфера обмена
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
In Windows, Applications can access clipboard data by using the Windows API.(Citation: MSDN Clipboard) OSX provides a native command, pbpaste
, to grab clipboard contents.(Citation: Operating with EmPyre)
Примеры процедур |
|
Название | Описание |
---|---|
Agent Tesla |
Agent Tesla can steal data from the victim’s clipboard.(Citation: Talos Agent Tesla Oct 2018)(Citation: Fortinet Agent Tesla April 2018)(Citation: Fortinet Agent Tesla June 2017)(Citation: Bitdefender Agent Tesla April 2020) |
APT39 |
APT39 has used tools capable of stealing contents of the clipboard.(Citation: Symantec Chafer February 2018) |
RTM |
RTM collects data from the clipboard.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019) |
DarkComet |
DarkComet can steal data from the clipboard.(Citation: Malwarebytes DarkComet March 2018) |
Astaroth |
Astaroth collects information from the clipboard by using the OpenClipboard() and GetClipboardData() libraries. (Citation: Cybereason Astaroth Feb 2019) |
TinyZBot |
TinyZBot contains functionality to collect information from the clipboard.(Citation: Cylance Cleaver) |
Empire |
Empire can harvest clipboard data on both Windows and macOS systems.(Citation: Github PowerShell Empire) |
Attor |
Attor has a plugin that collects data stored in the Windows clipboard by using the OpenClipboard and GetClipboardData APIs.(Citation: ESET Attor Oct 2019) |
Remcos |
Remcos steals and modifies data from the clipboard.(Citation: Riskiq Remcos Jan 2018) |
VERMIN |
VERMIN collects data stored in the clipboard.(Citation: Unit 42 VERMIN Jan 2018) |
During Operation Wocao, threat actors collected clipboard data in plaintext.(Citation: FoxIT Wocao December 2019) |
|
KONNI |
KONNI had a feature to steal data from the clipboard.(Citation: Talos Konni May 2017) |
Remexi |
Remexi collects text from the clipboard.(Citation: Securelist Remexi Jan 2019) |
MacSpy |
MacSpy can steal clipboard contents.(Citation: objsee mac malware 2017) |
Cadelspy |
Cadelspy has the ability to steal data from the clipboard.(Citation: Symantec Chafer Dec 2015) |
Koadic |
Koadic can retrieve the current content of the user clipboard.(Citation: Github Koadic) |
CosmicDuke |
CosmicDuke copies and exfiltrates the clipboard contents every 30 seconds.(Citation: F-Secure Cosmicduke) |
Clambling |
Clambling has the ability to capture and store clipboard data.(Citation: Trend Micro DRBControl February 2020)(Citation: Talent-Jump Clambling February 2020) |
Metamorfo |
Metamorfo has a function to hijack data from the clipboard by monitoring the contents of the clipboard and replacing the cryptocurrency wallet with the attacker's.(Citation: Fortinet Metamorfo Feb 2020)(Citation: ESET Casbaneiro Oct 2019) |
Machete |
Machete hijacks the clipboard data by creating an overlapped window that listens to keyboard events.(Citation: ESET Machete July 2019)(Citation: Securelist Machete Aug 2014) |
JHUHUGIT |
A JHUHUGIT variant accesses a screenshot saved in the clipboard and converts it to a JPG image.(Citation: Unit 42 Playbook Dec 2017) |
ROKRAT |
ROKRAT can extract clipboard data from a compromised host.(Citation: Volexity InkySquid RokRAT August 2021) |
Grandoreiro |
Grandoreiro can capture clipboard data from a compromised host.(Citation: IBM Grandoreiro April 2020) |
Helminth |
The executable version of Helminth has a module to log clipboard contents.(Citation: Palo Alto OilRig May 2016) |
Catchamas |
Catchamas steals data stored in the clipboard.(Citation: Symantec Catchamas April 2018) |
jRAT |
jRAT can capture clipboard data.(Citation: Kaspersky Adwind Feb 2016) |
Explosive |
Explosive has a function to use the OpenClipboard wrapper.(Citation: CheckPoint Volatile Cedar March 2015) |
APT38 |
APT38 used a Trojan called KEYLIME to collect data from the clipboard.(Citation: FireEye APT38 Oct 2018) |
Zeus Panda |
Zeus Panda can hook GetClipboardData function to watch for clipboard pastes to collect.(Citation: GDATA Zeus Panda June 2017) |
Melcoz |
Melcoz can monitor content saved to the clipboard.(Citation: Securelist Brazilian Banking Malware July 2020) |
RunningRAT |
RunningRAT contains code to open and copy data from the clipboard.(Citation: McAfee Gold Dragon) |
FlawedAmmyy |
FlawedAmmyy can collect clipboard data.(Citation: Korean FSI TA505 2020) |
MarkiRAT |
MarkiRAT can capture clipboard content.(Citation: Kaspersky Ferocious Kitten Jun 2021) |
Operation Wocao |
Operation Wocao has collected clipboard data in plaintext.(Citation: FoxIT Wocao December 2019) |
TajMahal |
TajMahal has the ability to steal data from the clipboard of an infected host.(Citation: Kaspersky TajMahal April 2019) |
Контрмеры |
|
Контрмера | Описание |
---|---|
Clipboard Data Mitigation |
Instead of blocking software based on clipboard capture behavior, identify potentially malicious software that may contain this functionality, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP) |
Обнаружение
Access to the clipboard is a legitimate function of many applications on an operating system. If an organization chooses to monitor for this behavior, then the data will likely need to be correlated against other suspicious or non-user-driven activity.
Ссылки
- Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
- rvrsh3ll. (2016, May 18). Operating with EmPyre. Retrieved July 12, 2017.
- Microsoft. (n.d.). About the Clipboard. Retrieved March 29, 2016.
- Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
- Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018.
- Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
- Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020.
- Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.
- Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
- GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.
- Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
- Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019.
- Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021.
- Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
- Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019.
- ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
- Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021.
- Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.
- Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.
- Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
- F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014.
- Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021.
- FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.
- Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.
- Balanza, M. (2018, April 02). Infostealer.Catchamas. Retrieved July 10, 2018.
- Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
- Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
- Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
- ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021.
- Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020.
- Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020.
- Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
- GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
- Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020.
- Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018.
- Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018.
- Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018.
- Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
- Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018.
- Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.
- Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
- Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.
- Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
- GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.