Cryptocurrency users are being targeted with a new clipper malware strain dubbed Laplas by means of another malware known as SmokeLoader.
SmokeLoader, which is delivered by means of weaponized documents sent through spear-phishing emails, further acts as a conduit for other commodity trojans like SystemBC and Raccoon Stealer 2.0, according to an analysis from Cyble.
Observed in the wild since circa 2013, SmokeLoader functions as a generic loader capable of distributing additional payloads onto compromised systems, such as information-stealing malware and other implants. In July 2022, it was found to deploy a backdoor called Amadey.
Cyble said it discovered over 180 samples of the Laplas since October 24, 2022, suggesting a wide deployment.
Clippers, also called ClipBankers, fall under a category of malware that Microsoft calls cryware, which are designed to steal crypto by keeping close tabs on a victim’s clipboard activity and swapping the original wallet address, if present, with an attacker-controlled address.
The goal of clipper malware like Laplas is to hijack a virtual currency transaction intended for a legitimate recipient to that owned by the threat actor.
“Laplas is new clipper malware that generates a wallet address similar to the victim’s wallet address,” the researchers pointed out. “The victim will not notice the difference in the address, which significantly increases the chances of successful clipper activity.”
The newest clipper malware offers support for a variety of wallets like Bitcoin, Ethereum, Bitcoin Cash, Litecoin, Dogecoin, Monero, Ripple, Zcash, Dash, Ronin, TRON, Cardano, Cosmos, Tezos, Qtum, and Steam Trade URL. It’s priced from $59 a month to $549 a year.
It also comes with its own web panel that enables its purchasers to get information about the number of infected computers and the active wallet addresses operated by the adversary, in addition to allowing for adding new wallet addresses.
“SmokeLoader is a well-known, highly configurable, effective malware that TAs [threat actors] are actively renovating,” the researchers concluded.
“It is a modular malware, indicating it can get new execution instructions from [command-and-control] servers and download additional malware for expanded functionality. In this case, the TAs use three different malware families for financial gain and other malicious purposes.”