BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details
87
Global rank
88 infographic chevron month
Month rank
84 infographic chevron week
Week rank
20
IOCs

Laplas Clipper is a crypto-stealing malware that gains unauthorized access to the victim’s clipboard and replaces their crypto addresses to trick them into sending their funds to the attacker’s wallet. This malicious program is offered for sale as a malware-as-a-service (MaaS) and often distributed with the help of loaders, including SmokeLoader.

Stealer
Type
ex-USSR
Origin
1 October, 2022
First seen
27 June, 2023
Last seen

How to analyze Laplas Clipper with ANY.RUN

Type
ex-USSR
Origin
1 October, 2022
First seen
27 June, 2023
Last seen

IOCs

Hashes
8dbebde20f5c4a1c0d29c9faf1c670423f99306042d428c35d6bdd552d3fb554
14529dca41abfea65abb51c84ec34ba0a951581586f98cef60213ae949a78320
7de1d4823ee481df27c4ad35cbfee9f68616b05b3e12fa671a67f1f032988fc1
8a4db58bba93163fec499b334d605533df8d04ddca7428737224c31a20271daf
ad1761fa2b7f8730c013e0baf2f37d00ac0a8bb93e2dcd82bcb05f36e7638cf7
825b0080782dee075f8aac11c3a682f86c5d3aa5462bd16be0ed511a181dd7ba
2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8
59d9b80d021e8dc40f387d759ce6f77c56330a07352c0238f1768116cf80ebf7
a4535bdcb87e5a9542d0685d9a9e370276b9eb7d79bee01ba28b7624c8bec91a
ca75ac12bc95dc23b280682635042c07dccd331ab3bacac39c8983cecb575405
a0974d1c332945a109d350c01e1e2551d320ccc3be97b8e9aea8945e27bcad2b
056e6e9d314a50198b132d58285ebd25fedab173f5c8ff2faa524308b28b12e1
b17670d28e2cc95784b4bb1ad7a8b3eae5e69b27896f7b755f8e7550f767e116
303edb02103ab4fa8a3e3475d11a565e022eb198152e2f9e7e32fa8f961a9070
374038d3b479d64d002df14a62bc561394613510b82cfbdbce25d18aaab03d27
b78a994b62bd9915e90e163aefb4b0a136a5120147867984d4ea2e278856fd34
2c5c3ba7eba30cc358b40d494fda79d9d2a6df152bdb7eb1aceb36f3fbcf60c3
55194a6530652599dfc4af96f87f39575ddd9f7f30c912cd59240dd26373940b
24ae7cfa0d195dee2d51fd1cff90274738bc92c0fabc27441223f130e6a322dd
f764bb6c3fa76c26bdb604577f2f09436a46f6ebaee7b2afdf026a2c971c71bc
Last Seen at

Recent blog posts

post image
ANY.RUN attends Osintomático 2024
watchers 48
comments 0
post image
Windows 11 UAC Bypass in Modern Malware
watchers 657
comments 0
post image
New Hijack Loader Variant: Uses Process Hollo...
watchers 564
comments 0

What is Laplas Clipper malware?

Laplas Clipper is a family of malware that possesses stealer capabilities. Specifically, it works by replacing victims’ cryptocurrency addresses with those of the attacker using the clipboard. As a result, users unknowingly end up sending their virtual coins and tokens to the wallet set up by the threat actor. First observed in late 2022, Laplas Clipper remains in operation to this day and gets regular updates.

Laplas is sold openly via Telegram channels and Darknet forums as a Malware-as-a-Service (MaaS). Any user interested in this malicious software can purchase a subscription, starting from one week ($49) and up to one year ($839). As part of the offering, operators receive a web panel that lets them control the entire process of replacing victims’ crypto addresses and get notifications about the malware’s activity.

Phishing campaigns are the most common method employed by threats actors for infecting victims’ computers with Laplas Clipper. Criminals often weaponize .pdf and office-suite format files to conduct multi-stage attacks. In many instances, the malware is being dropped by other malicious software, including SmokeLoader, which penetrates security mechanisms of computers and then downloads Laplas.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Technical details of the Laplas Clipper malicious software

Unlike other stealers, such as FormBook and Arkei, Laplas Clipper has a limited functionality, which focuses exclusively on hijacking victims’ cryptocurrency wallets. The capabilities of the malware include:

  • Generation of crypto addresses: Laplas Clipper can generate Bitcoin addresses for all three types: P2PKH (legacy), P2SH, and SegWit. It can also create addresses for ERC20, BEP20, and other tokens that use the 0x prefix, as well as Tron ones.
  • Choice of prefix or postfix generation: The malware allows users to choose whether to produce addresses with the prefix or postfix. This gives criminals more control over the appearance of illegitimate addresses.
  • Support for over 20 types of wallets: The software can replace addresses in most popular crypto wallets.
  • Web panel: Laplas Clipper can be managed through a web-based interface, letting the operator easily configure and use the clipper.
  • Autobuild functionality: Users of the malware can choose between three versions of the program: C++, Golang, and .NET 4.
  • Automatic balance check: Laplas Clipper can automatically check the balance of victims’ addresses.
  • Support for EXE, DLL extensions: Laplas Clipper can be built for both EXE and DLL extensions.

The malware creates addresses that are almost identical to the original ones. For example, the first three characters after the prefix of the attacker's address will be the same as those of the victim's address. This is often enough for an average user to mistakenly send their cryptocurrency to the wrong address. Apart from generating its own addresses, Laplas Clipper allows operators to use their custom ones.

As for the anti-analysis and anti-detection techniques, some versions of the malware are obfuscated with Babel, a popular obfuscator for .NET, which is capable of renaming symbols and encrypting strings. The malware is also equipped with debugger and virtualization evasion. Read the article “Analyzing a New .NET variant of LaplasClipper: retrieving the config” to learn more about the program’s code and collect its configuration.

Execution process of Laplas Clipper

Let’s load a sample of Laplas Clipper into ANY.RUN, an interactive malware sandbox, to expose its malicious activities and examine its behavior, as well as to gather up-to-date IOCs.

Laplas process tree Laplas Clipper's process tree

The task starts with the execution of a malicious file with the name "scdscxzccsacx_csharp_build_autorun.exe" located in the temporary folder. What's interesting is that this executable creates a scheduled task called "uAGRIUzbtd", which launches another executable named “svcupdater.exe.” This executable is located in the user's roaming folder stored inside the AppData directory (T1053.005). ANY.RUN shows that the "cmd" process was used to execute the "schtasks" process.

After one minute into the VM operation, the scheduled task starts the "svcupdater.exe" file. This indicates that the malware is attempting to establish persistence on the system by scheduling the execution of a file in the user's roaming folder. This behavior is commonly observed in malware that wants to maintain a presence on the system even after a reboot.

After that, the malware performs its main activity and begins to connect to C2 servers and collect information about the system. In this task, we can not only view the malware configuration by clicking the CFG icon next to the process or the MalConf button, but also download a dump of that process by clicking the DMP icon to perform additional analysis if needed.

Read a detailed analysis of Laplas Clipper in our blog.

Laplas process dump ANY.RUN lets you download a process dump of the analyzed sample

Distribution methods of the Laplas Clipper malware

Phishing emails are commonly used by criminals as the first step in multi-stage attacks that ultimately lead to LaplasClipper infection. These attackers often create emails that are misleading and deceive individuals into opening attachments that contain harmful files. For instance, attackers have been observed to pose as CoinPayments, a well-known cryptocurrency payment gateway, and request users to download a .zip folder. By executing the files from the archive, users inadvertently install Laplas Clipper on their systems.

Conclusion

Laplas is a newly developed malware that poses a serious threat to crypto holders worldwide. The malicious actors behind Laplas attacks have been successful in stealing substantial amounts of virtual coins. Therefore, individuals and companies that deal with cryptocurrencies must exercise extra caution when opening email attachments from unknown senders and suspicious files from untrusted sources. To ensure the safety of a document or link, it is recommended to use ANY.RUN. This platform provides conclusive verdicts on the malicious behavior of files and URLs and generates detailed reports, containing IOCs and configs for future detection of the threat.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy