0x00 Introduction
LAPLAS CLIPPER, an information-stealing trojan offered as a subscription-based MaaS (Malware-as-a-Service) cloud service (the service websites are shown below). Users can build trojan binaries directly on the platform and customize callback settings such as proxy servers and persistence configuration item names. The trojan continuously monitors the victim’s clipboard, and if the clipboard content matches a wallet-address regular expression it replaces it with the attacker’s wallet address, enabling fraudulent transfers and greatly lowering the technical barrier for attacks.
0x01 The version of Laplas Clipper
Since October 2022, the LAPLAS technical team has successively released multiple versions of Trojan programs in .Net, C++, and Go.
Because LAPLAS trojans use the callback domain clipper.guru, we searched VirusTotal for samples to analyze. This article focuses primarily on the .NET and Go variants
0x02 .NET
Using the DIE tool to analyze the sample, we found no packer or obfuscation — the trojan appears to be an unpacked binary.
Module analysis
Decompilation with dotPeek reveals the main components of the trojan: clipboard manipulation, C2/API communication for data exchange, and startup persistence mechanisms, etc.
The API/C2 request code (see below) is responsible for obtaining wallet addresses, sending the implant’s status, and fetching wallet regex patterns used for scraping/validation
The clipboard-handling code (below) covers three core actions — read, write, and clear operations on the system clipboard.
Configuration parameters include the command-and-control domain (clipper.guru), the malware’s executable name, the Windows startup/persistence registry or scheduled-task name, and the LAPLAS cloud platform API token.
Persistence and execution flow
At startup, the malware creates a mutex for single-instance enforcement. It then checks for the existence of its persistence mechanism (autostart entry) and, if properly configured, continues running.
The implant queries an API for wallet-address regex patterns and sends heartbeat/online status. It periodically updates the regex set and status, monitors the system clipboard, applies regex-based detection of cryptocurrency addresses, and on a positive match overwrites the clipboard with an attacker-controlled address (address-replacement fraud).
Persistence: the implant sets up a Windows scheduled task using schtasks to achieve autostart.
0x03 Go
An analysis with the DIE tool of the trojan binary shows it was written in Go and is not packed.
Inspecting the functions in the Go trojan shows they are basically similar to those in the .NET version.
The malware stores its configuration in encrypted form. On launch, the binary immediately decrypts the configuration blob before continuing, see code below.
The malware verifies whether its persistence/autostart entry is present.
The malware periodically sends heartbeat/status reports and refreshes the regular expressions used to identify wallet addresses, among other functions.
The malware monitors the system clipboard and, when a clipboard entry matches a wallet address regex, overwrites it with an attacker controlled address to facilitate scam transactions.
The malware verifies whether its persistence entry exists; if absent, it copies itself to the target location and registers a persistence mechanism (autostart).
0x04 Summary
LAPLAS Clipper is a clipboard-hijacking malware family (variants in .NET, Go, etc) that uses the C2 domain clipper.guru; it fetches regular expressions for cryptocurrency addresses and heartbeats from an API, decrypts an encrypted configuration at startup, enforces single-instance execution via a mutex, monitors the clipboard and replaces matched crypto addresses with attacker-controlled addresses to facilitate fraud, and ensures persistence by copying itself and registering a Windows scheduled task (schtasks); analyzed Go samples show no packer/obfuscation.
0x05 IOC
| sha256 | |
|---|---|
| .NET Version | 025bec496d71b1d17d023e04f25a5df0f3538308a5d639007a1e7db41c6d91e6 |
| GO Version | 04ac8df80dd9829697566bedb82cd689d0c90cffb0c6219a1bfa38dc86dc59c9 |