From Stars to Upvotes: Fake Reputation Fueling a Crypto Clipboard Hijacker

What Happened

Cybercriminals are tricking people into downloading fake cryptocurrency trading bots and game prediction tools that actually contain malware. This malware affects both Windows and Mac computers, secretly watching the user's clipboard to swap out cryptocurrency addresses, stealing their funds when they try to make a transfer. The attackers make these fake tools look trustworthy by using networks of fake accounts to generate fake positive reviews, high download counts, and safe ratings on popular websites and YouTube. Users should be extremely cautious when downloading unverified financial tools and always double-check cryptocurrency addresses before sending money.

Key Takeaways

• A threat actor is distributing Rust-based clipboard hijackers for Windows and macOS, disguised as cryptocurrency trading bots and crash game predictors.
• The campaign relies heavily on 'Ghost Networks' to artificially inflate engagement metrics (stars, forks, views, comments) on GitHub, SourceForge, YouTube, and VirusTotal.
• The macOS variant utilizes a bash script (unlocker.command) to bypass Gatekeeper by removing quarantine attributes via the xattr command.
• The malware establishes persistence and continuously monitors the victim's clipboard, using regular expressions to replace copied cryptocurrency addresses with attacker-controlled wallets.

Affected Systems

• Windows
• macOS

Attack Chain

Victims are lured to a WordPress phishing site via social media, YouTube videos with AI narrators, and fake news articles promoting crypto sniper bots. Upon downloading the ZIP archive, Windows users execute a .NET loader that drops and runs a Rust-based clipboard hijacker, while macOS users are instructed to run a bash script (unlocker.command) that uses xattr to bypass Gatekeeper and launch the macOS Rust clipper. Both variants establish persistence (Windows via the Startup folder, macOS via LaunchAgents) and continuously monitor the clipboard, using regular expressions to replace copied cryptocurrency addresses with attacker-controlled wallets.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide specific detection rules (YARA, Sigma, etc.) for this campaign.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions typically have strong visibility into process creation (such as the execution of xattr -cr on macOS), file drops in persistence locations (Startup folder, LaunchAgents), and clipboard API access. Network Visibility: Low — The malware operates locally on the clipboard and relies on hardcoded wallet addresses, meaning it does not require active C2 communication for the swapping logic. Detection Difficulty: Moderate — While the persistence mechanisms and Gatekeeper bypass commands are noisy and detectable, the actual clipboard monitoring might blend in with legitimate applications if not correlated with suspicious parent processes or specific file paths.

Required Log Sources

• Process Creation (Event ID 4688 / Sysmon Event ID 1)
• File Creation (Sysmon Event ID 11)
• macOS Unified Log

Hunting Hypotheses

Control Gaps

• Reputation-based AV engines may fail to block the payload due to manipulated VirusTotal scores.
• User awareness regarding Gatekeeper bypass instructions may be insufficient to prevent execution.

Key Behavioral Indicators

• Execution of a script named unlocker.command on macOS
• Creation of com.example..plist in macOS LaunchAgents
• Process ancestry showing a .NET loader spawning a Rust binary named silkebin.exe

False Positive Assessment

• Low, as the provided IOCs and behavioral patterns (like xattr -cr on random apps and specific file paths) are highly specific to this malicious campaign.

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Consider blocking access to the domain decryptor.net and associated URLs at the network perimeter.
• Evaluate searching endpoint telemetry for the provided SHA256 hashes and isolate affected hosts if supported by your EDR.

Infrastructure Hardening

• Consider enforcing Gatekeeper policies via MDM to prevent users from manually overriding quarantine attributes on macOS.
• Evaluate restricting execution from the %APPDATA% directory for unapproved or unsigned applications.

User Protection

• If supported by your EDR, consider implementing behavioral rules to detect and block automated clipboard manipulation by unsigned processes.
• Ensure macOS endpoints are configured to only allow applications from the App Store and identified developers.

Security Awareness

• Consider educating users on the risks of downloading unverified financial or trading tools from third-party sites.
• Evaluate training employees to visually verify cryptocurrency addresses after pasting them into transaction fields.
• Consider warning users about social engineering tactics that instruct them to bypass security warnings (e.g., running 'unlocker' scripts).

MITRE ATT&CK Mapping

• T1566.002 - Phishing: Spearphishing Link
• T1204.002 - User Execution: Malicious File
• T1553.001 - Subvert Trust Controls: Gatekeeper Bypass
• T1115 - Clipboard Data
• T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
• T1543.001 - Create or Modify System Process: Launch Agent
• T1027 - Obfuscated Files or Information

Additional IOCs

• Urls:
  • crash-predictor1.github.io/Aviator-Predictor - GitHub Pages URL hosting the malicious Aviator Predictor tool
• File Hashes:
  • 33c86ecfc324de3af97150bd009aba7925a6ba7a0842e127e94cf351013c0fe6 (sha256) - Windows Clipboard Hijacking Malware
  • 7a7ad4ae347a3f99f3773a113d9f70ecfa967100c96e8275bd1df833caee68d1 (sha256) - Windows Clipboard Hijacking Malware
  • bad8625087a7b9453c70933c0db32518ff5818e3d83f3a9e78d432a22b383edb (sha256) - Windows Clipboard Hijacking Malware
  • c1435847b0c437f91efb07a3a35e4468036322d7acf4ba9e6d363cec0b481241 (sha256) - Windows Clipboard Hijacking Malware
  • ef9a915c8e1d484e52b3287c94a58ecd22c07391a87f9c136eabd8397ed01ca2 (sha256) - Windows Clipboard Hijacking Malware
  • e02e60a23297692637b43ebcd7dbeb63af1e9680c551586a1ce935218e0034be (sha256) - Windows Clipboard Hijacking Malware
  • fb8294b12f904dff2ac79b51872be7bf09ab422cde223caaf4762eadf7e0760d (sha256) - Windows Clipboard Hijacking Malware
  • a91c09e0eea610dbe5879798f9cf12e3ce51e4e6f0893278bcdf3ebe22c4730b (sha256) - Windows Clipboard Hijacking Malware
  • 9c566db1ef9d08ee389d2b8cc1c50c65870096130c8bd2cf41ea14c4075e94c0 (sha256) - Windows Clipboard Hijacking Malware
  • f737e99177cc05037ff34cf6e245dd56377dc3db4e2bb46edcf039df650939d6 (sha256) - Windows .NET Loader
  • 7a9632bbecc31d02fdd0eab07e2424b3e1c9e9a3f91aac4ef6f708f2befbaa3d (sha256) - Windows .NET Loader
  • 6f12c066a929c96104796c4ecca938754962009ebd9e4ba5329bb940bf331d0a (sha256) - macOS Loader
• File Paths:
  • %APPDATA%\silke\silke.exe - Persistence location for the Windows clipboard hijacker
  • src\config\silkebin.exe - Relative path of the Windows Rust clipper payload before installation
  • ~/launch.sh - macOS shell script wrapper used for persistence
  • ~/Library/LaunchAgents/com.example..plist - macOS LaunchAgent plist used for persistence
• Command Lines:
  • Purpose: Remove macOS quarantine attribute to bypass Gatekeeper | Tools: xattr | Stage: Defense Evasion | /usr/bin/xattr -cr
  • Purpose: Open the malicious macOS application after unlocking | Tools: open | Stage: Execution | /usr/bin/open