Clipboard Data

Adversaries may collect data stored in the Windows clipboard from users copying information within or between applications.

Windows

Applications can access clipboard data by using the Windows API. [1]

Mac

OSX provides a native command, pbpaste, to grab clipboard contents [2].

ID: T1115

Tactic: Collection

Platform:  Linux, Windows, macOS

Data Sources:  API monitoring

Version: 1.0

Examples

NameDescription
Catchamas

Catchamas steals data stored in the clipboard.[3]

CosmicDuke

CosmicDuke copies and exfiltrates the clipboard contents every 30 seconds.[4]

Helminth

The executable version of Helminth has a module to log clipboard contents.[5]

JHUHUGIT

A JHUHUGIT variant accesses a screenshot saved in the clipboard and converts it to a JPG image.[6]

Koadic

Koadic can retrieve the current content of the user clipboard.[7]

MacSpy

MacSpy can steal clipboard contents.[8]

RTM

RTM collects data from the clipboard.[9]

RunningRAT

RunningRAT contains code to open and copy data from the clipboard.[10]

TinyZBot

TinyZBot contains functionality to collect information from the clipboard.[11]

VERMIN

VERMIN collects data stored in the clipboard.[12]

Mitigation

Instead of blocking software based on clipboard capture behavior, identify potentially malicious software that may contain this functionality, and audit and/or block it by using whitelisting [13] tools, like AppLocker, [14] [15] or Software Restriction Policies [16] where appropriate. [17]

Detection

Access to the clipboard is a legitimate function of many applications on a Windows system. If an organization chooses to monitor for this behavior, then the data will likely need to be correlated against other suspicious or non-user-driven activity.

References