Symantec’s Threat Hunter Team, a part of Broadcom Software, has uncovered a cyber-criminal operation that has potentially made the actors behind it at least $1.7 million in illicit gains from cryptocurrency mining and theft via clipboard hijacking.
The malware being used, tracked by Symantec as Trojan.Clipminer, has a number of similarities to another crypto-mining Trojan called KryptoCibule, suggesting it may be a copycat or evolution of that threat.
Clipminer is likely spread via Trojanized downloads of cracked or pirated software. The malware arrives on compromised computers as a self-extracting WinRAR archive that drops and executes a downloader in the form of a packed portable executable DLL file with CPL file extension (although it does not follow the CPL format). The dropped file connects to the Tor network to download Clipminer’s components.