New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


New Clipboard Hijacker Replaces Crypto Wallet Addresses with Lookalikes

A new clipboard stealer, dubbed Laplas Clipper, has been spotted using cryptocurrency wallet addresses that look like the victims in order to trick them into thinking they are using their own address. This is different than most clippers, which typically swap out the victim’s cryptocurrency address with the attacker’s own when copied to the clipboard.

Standard clipboard stealers, also known as clippers, monitor the Windows clipboard for any string that appears to be a cryptocurrency wallet address. Once one of these strings is copied to the clipboard, the clipper activates and changes the address in the clipboard with one controlled by the threat actor. Since cryptocurrency wallet addresses are generally copied and pasted when performing a transaction, this allows the threat actor to effectively hijack the transaction and steal the cryptocurrency from the user. Due to this, many users check if the pasted address is the same as the one they copied by comparing a few characters.

Laplas, however, uses a new approach to deceive these users by using threat actor-controlled addresses that closely resemble the copied one. The exact methodology behind this is currently unknown. In testing, it was shown that Laplas was able to replace a Bitcoin address with a different address that contained the same first and last few characters as the original copied version. The clipper currently supports a number of different cryptocurrency types such as Bitcoin, Ethereum, Dogecoin, Monero, Solana, and more.

Laplas is currently being distributed through other types of malware, such as SmokeLoader and Raccoon Stealer 2.0; this demonstrates a general interest from the overall cybercriminal community in its features.

Analyst Notes

It is highly recommended to avoid downloading executables from suspicious looking websites or running attachments received over email. These are the two of the most common methods of distributing malware, so avoiding these two actions can help prevent a user from being infected by most types of malware. It is also recommended to implement and maintain good security controls, such as an EDR, on all devices within an organization. Since Laplas appears to be distributed from other types of well-known malware, effective endpoint security products may be able to prevent the distribution malware from executing, thus preventing Laplas from even reaching the endpoint. If prevention does not occur, these malware families exhibit abnormal behavior that can be detected and alerted upon, allowing for an organization to know that there is a potential infection on a system. Finally, when copying and pasting cryptocurrency wallet addresses, it is highly recommended to compare the pasted value to the original side-by-side to verify it is the same address. Due to Laplas’ new technique of using similar looking addresses, checking a few characters in the pasted address is no longer sufficient. By doing a full side-by-side comparison, a user can make sure that the address is exactly the same as what they expect it to be, preventing them from potentially losing a large amount of cryptocurrency.

New Laplas Clipper Distributed via SmokeLoader