Register to stream ATT&CKcon 2.0 October 29-30

Clipboard Data

Adversaries may collect data stored in the Windows clipboard from users copying information within or between applications.

Windows

Applications can access clipboard data by using the Windows API. [1]

Mac

OSX provides a native command, pbpaste, to grab clipboard contents [2].

ID: T1115
Tactic: Collection
Platform: Linux, Windows, macOS
Data Sources: API monitoring
Version: 1.0

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Examples

Name Description
Agent Tesla Agent Tesla can steal data from the victim’s clipboard. [9] [10] [11]
APT38 APT38 used a Trojan called KEYLIME to collect data from the clipboard. [24]
Astaroth Astaroth collects information from the clipboard by using the OpenClipboard() and GetClipboardData() libraries. [21]
Catchamas Catchamas steals data stored in the clipboard. [6]
CosmicDuke CosmicDuke copies and exfiltrates the clipboard contents every 30 seconds. [15]
DarkComet DarkComet can steal data from the clipboard. [19]
Empire Empire can harvest clipboard data on both Windows and macOS systems. [5]
Helminth The executable version of Helminth has a module to log clipboard contents. [13]
JHUHUGIT A JHUHUGIT variant accesses a screenshot saved in the clipboard and converts it to a JPG image. [7]
jRAT jRAT can capture clipboard data. [23]
Koadic Koadic can retrieve the current content of the user clipboard. [3]
KONNI KONNI had a feature to steal data from the clipboard. [20]
MacSpy MacSpy can steal clipboard contents. [12]
Remcos Remcos steals and modifies data from the clipboard. [4]
Remexi Remexi collects text from the clipboard. [22]
RTM RTM collects data from the clipboard. [8]
RunningRAT RunningRAT contains code to open and copy data from the clipboard. [14]
TinyZBot TinyZBot contains functionality to collect information from the clipboard. [17]
VERMIN VERMIN collects data stored in the clipboard. [18]
Zeus Panda Zeus Panda can hook GetClipboardData function to watch for clipboard pastes to collect. [16]

Detection

Access to the clipboard is a legitimate function of many applications on a Windows system. If an organization chooses to monitor for this behavior, then the data will likely need to be correlated against other suspicious or non-user-driven activity.

References