The Marathon Infection Chain of ClipBanker: How a Simple Search Leads to a Cryptocurrency-Stealing Trojan
Introduction
In early 2023, security researchers observed a peculiar Trojan that stood out for its exceptionally prolonged infection chain. Unlike typical malware that quickly executes its payload, ClipBanker employs a methodical, multi-step process that begins with a seemingly innocent web search. This article deconstructs the attack vector and sheds light on how the malware ultimately targets cryptocurrency wallets.
How the Infection Chain Begins
The journey toward infection often starts when a user searches for “Proxifier” in a popular search engine. Proxifiers are specialized tools that tunnel traffic for applications not natively designed to work with proxy servers, making them essential in secured development environments. Coincidentally, “Proxifier” is also the name of a proprietary software developed by VentoByte, distributed under a paid license. One of the top search results for this term leads to a GitHub repository — exactly where the primary infection originates.
The GitHub Trap
The GitHub project contains the source code for a basic proxy service. However, unsuspecting users who navigate to the Releases section find an archive containing an executable file and a text document. The executable is actually a malicious wrapper bundled around the legitimate Proxifier installer, while the text file conveniently provides activation keys for the software. This carefully crafted lure ensures the victim voluntarily downloads and runs the infected file.
The Complex Multi-Stage Injection Process
Once the trojanized executable is launched, the malware begins its marathon infection chain. It first adds exclusions to Microsoft Defender for all files with the .TMP extension and for the directory where the executable resides. The technique used to achieve this is notably exotic.
Stage One: Creating a Donor Process
ClipBanker creates a small stub file — roughly 1.5 KB in size — in the temp directory, named Proxifier<???>.tmp, and executes it. This stub does nothing on its own; it functions purely as a donor process. Later, a .NET application called api_updater.exe is injected into this process to handle the Microsoft Defender exclusions.
Stage Two: Decrypting and Running PowerShell
api_updater.exe decrypts and runs a PowerShell script using the PSObject class. This class allows the script to execute directly within the current process without spawning a command console or launching the interpreter, thereby evading detection. As soon as the required exclusions are set, the trojanized installer extracts and launches the real Proxifier installer. Meanwhile, the infection quietly continues in the background.
Stage Three: A Second Injector
The malware creates another donor process and injects a module named proxifierupdater.exe. This module acts as yet another injector: it launches the system utility conhost.exe and injects it with another .NET application, internally named bin.exe, which runs a PowerShell script using the same techniques as before.
The Final Payload and Defense Evasion
The script at the end of this chain is obfuscated and partially encoded, but its actions are straightforward — it performs only four specific tasks:
- Add powershell.exe and conhost.exe to Microsoft Defender exclusions.
- Create a registry key at
HKLM\SOFTWARE\System::Configand store another Base64-encoded PowerShell script inside it. - Set up a scheduled task that launches PowerShell with an argument pointing to a script.
- That script reads the content of the created registry key, decodes it, and transfers control to the final payload — ClipBanker, which monitors clipboard data for cryptocurrency addresses and replaces them with the attacker’s own.
This marathon chain demonstrates how modern malware can leverage legitimate tools, lengthy injection sequences, and system utilities to avoid detection and ultimately steal digital assets.