A new clipboard stealer, dubbed Laplas Clipper, has been spotted using cryptocurrency wallet addresses that look like the victims in order to trick them into thinking they are using their own address. This is different than most clippers, which typically swap out the victim’s cryptocurrency address with the attacker’s own when copied to the clipboard.
Standard clipboard stealers, also known as clippers, monitor the Windows clipboard for any string that appears to be a cryptocurrency wallet address. Once one of these strings is copied to the clipboard, the clipper activates and changes the address in the clipboard with one controlled by the threat actor. Since cryptocurrency wallet addresses are generally copied and pasted when performing a transaction, this allows the threat actor to effectively hijack the transaction and steal the cryptocurrency from the user. Due to this, many users check if the pasted address is the same as the one they copied by comparing a few characters.
Laplas, however, uses a new approach to deceive these users by using threat actor-controlled addresses that closely resemble the copied one. The exact methodology behind this is currently unknown. In testing, it was shown that Laplas was able to replace a Bitcoin address with a different address that contained the same first and last few characters as the original copied version. The clipper currently supports a number of different cryptocurrency types such as Bitcoin, Ethereum, Dogecoin, Monero, Solana, and more.
Laplas is currently being distributed through other types of malware, such as SmokeLoader and Raccoon Stealer 2.0; this demonstrates a general interest from the overall cybercriminal community in its features.