clipminer.md

ID	X0038
Type	Resource Exploitation
Aliases	None
Platforms	Windows
Year	2011
Associated ATT&CK Software	None

Clipminer

Malware used for cryptocurrency mining and clipboard hijacking.

ATT&CK Techniques

Name	Use
Defense Evasion::Masquerading (T1036)	Clipminer drops a file masquerading as a Control Panel (CPL) file. [1]
Persistence::Scheduled Task/Job (T1053)	Clipminer creates scheduled tasks for persistence. [1]

Enhanced ATT&CK Techniques

Name	Use
Defense Evasion::Modify Registry (E1112)	Clipminer edits the registry. [1]
Command and Control::C2 Communication (B0030)	Clipminer communicates to a Tor Onion Service via HTTP. [1]
Collection::Input Capture (E1056)	Clipminer monitors keyboard and mouse activity to determine if the machine is in use. [1]
Impact::Clipboard Modification (E1510)	Clipminer monitors the clipboard for cryptocurrency addresses and replaces them with ones controlled by the adversary. [1]

MBC Behaviors

Name	Use
Execution::Install Additional Program (B0023)	Upon execution, Clipminer drops a file masquerading as a Control Panel (CPL) file. [1]
Impact::Resource Hijacking (B0018)	Clipminer uses sytem resources to mine for cryptocurrency. [1]

Indicators of Compromise

SHA256 Hashes

• bd48b5da093a37cfa5e3929c19ac06ce711bd581bc49040e68d2ba0e5610bf71
• 1d31bea6a065fa20cf41861d21b7ea39979d40126c800ebc87d07adb41fe03f4
• 12e6883046e2c92cbe3b5706ea7f1181b44512f179c7f04e88e75f3f6e392a48

References

[1] https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/clipminer-bitcoin-mining-hijacking