Researchers have found a new clipper malware, “Keona,” that employs a unique strategy to steal crypto. As observed, the malware replaces the copied wallet addresses in the clipboard with the attacker’s wallet address. This way, it sneakily redirects the crypto payments to the wrong address.
Keona Clipper Malware Active In the Wild
According to a recent post from Cyble, the new Keona clipper malware is actively targeting crypto users. The researchers have discovered over 90 different samples related to the malware since May 2022.
Clipper malware family typically targets the clipboards on target devices. Thus, these malware types can effectively steal different types of information, mainly the login credentials and crypto wallets.
The recently identified malware “Keona” is also one such clipper that exploits Telegram bot or stealth infections. Quoting the malware developers about Keona’s capabilities, the researchers’ post reads,
According to its developers, “the Keona clipper is unique and anonymous software wrapped in a Telegram bot with stealth and anonymity.” Additionally, the malware disguises itself as a system file and sends victim details to a Telegram bot.
Detailed analysis of the malware showed heavy obfuscation, hinting at the malware’s attempt to evade detection. After infecting a device, the malware continues its activities even if the Telegram bot is inactive. It scans the clipboard and sends the stolen data to the Telegram bot using Telegram APIs.
Following its communication with the bot, the malware gains persistence on the device by replicating into different locations and creating registry entries.
It then scans the clipboard for the text and gets details of the targeted cryptocurrencies. This information enables the malware to identify the respective crypto wallets and replace them with the attackers’ addresses. Regarding the cryptocurrencies on its target, the researchers stated,
The malware can steal BTC, ETH, LTC, XMR, XLM, XRP, NEC, BCH, ZCASH, BNB, DASH, DOGE, USDT TRC20, and ADA coins.
The researchers advise users to equip their devices with robust anti-malware programs, use strong passwords, and carefully review the source before submitting cryptocurrencies to an address.