New clipboard hijacker replaces crypto wallet addresses with lookalikes

A new clipboard stealer called Laplas Clipper spotted in the wild is using cryptocurrency wallet addresses that look like the address of the victim’s intended recipient.

Laplas is different from other malware of the same kind, which are typically just add-ons of info-stealing malware. The new clipper is a feature-rich tool that gives hackers more granular control and better insight into the efficiency of their operations.

The tool is provided under a subscription model, the most expensive tier being $549 for a year’s access to the web-based panel that allows operators to monitor and control their attacks.

Laplas promoted on Russian-speaking darknet forums
Laplas promoted on Russian-speaking darknet forums
courtesy of KELA

In about a week, the number of Laplas Clipper samples spotted in the wild grew from less than 20 a day to 55 at the end of last month, security researchers at Cyble note in a report.

Currently, Laplas is distributed through the Smoke Loader and the Raccoon Stealer 2.0, showing that it has attracted the attention of the cybercrime community.

The Laplas approach

Standard clipboard stealers, also called clippers, monitor the Windows clipboard and activate when they detect a cryptocurrency wallet address that users typically copy as the destination for a payment.

When this happens, the clipper changes that address with one belonging to the cybercriminals, thus diverting the payment to the attacker.

To counter this risk, many crypto holders today check if the address in the clipboard is the intended one by comparing a few characters, which makes most clippers less effective.

The developers of Laplas came up with a new approach to deceive keen-eyed crypto users by using addresses that closely resemble the one the victim copied.

Basic wallet generation settings
Basic wallet generation settings
source: BleepingComputer

It is unclear how the hackers obtain the similar addresses. In tests BleepingComputer made, we were able to generate an address similar to the original input as fast as five seconds.

However, this is significantly more than what it takes an average user to copy and paste, which could raise the suspicions.

One theory is that the hackers pre-generated a massive number of addresses in advance for Laplas to pick the ones that are similar to what the victim used.

Cyble notes that this process happens on the attacker’s server so the exact mechanism remains unknown. Identifying an address that is similar to what the victim pasted in the clipboard is done using regular expressions.

Laplas replacing clipboard address with the hacker's address
Laplas replacing clipboard address with the hacker’s address
source: Cyble

Cyble shared with BleepingComputer that their research showed that Laplas retrieved a Bitcoin address that matched the first and last few characters of the one pasted in the clipboard.

However, in the case of Ethereum the address fetched from the attacker’s server looked nothing like the original it tried to spoof. 

The clipper supports wallet address generation for Bitcoin, Bitcoin Cash, Litecoin, Ethereum, Dogecoin, Monero, Algorand, Ravecoin, Ripple, Zcash, Dash, Ronin, Tron, Tezos, Solana, Cardano, Cosmos, Qtum, and Steam Trade URLs.

Wallet addresses supported by Laplas
Wallet addresses supported by Laplas
source: BleepingComputer

According to the author’s promotional post on the dark web, the new addresses are generated in less than a second and are added to the web panel along with the balance they currently hold.

Generated wallets are stored in the database for three days, but operators can send the access keys to their Telegram accounts to assume control of the wallets later.

Users can also use Telegram to receive real-time notifications about any of the clipper’s actions in compromised hosts, like stealing a significant amount.

Determining private Telegram handle
Defining Telegram to receive alerts
source: BleepingComputer

Keep safe

Users should avoid downloading executables from obscure websites or running attachments received over email.

It is recommended to spend an extra moment and validate the recipient’s address before making a cryptocurrency transaction.

Storing wallet seeds in encrypted form should also make it more difficult for cybercriminals to obtain access to the cryptocurrency funds, even if they get the info.