Clipboard Data

Adversaries may collect data stored in the Windows clipboard from users copying information within or between applications.

Windows

Applications can access clipboard data by using the Windows API. [1]

Mac

OSX provides a native command, pbpaste, to grab clipboard contents [2].

ID: T1115

Tactic: Collection

Platform:  Linux, Windows, macOS

Data Sources:  API monitoring

Version: 1.0

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Examples

Name Description
Agent Tesla

Agent Tesla can steal data from the victim’s clipboard.[3][4][5]

APT38

APT38 used a Trojan called KEYLIME to collect data from the clipboard.[6]

Astaroth

Astaroth collects information from the clipboard by using the OpenClipboard() and GetClipboardData() libraries.[7]

Catchamas

Catchamas steals data stored in the clipboard.[8]

CosmicDuke

CosmicDuke copies and exfiltrates the clipboard contents every 30 seconds.[9]

DarkComet

DarkComet can steal data from the clipboard.[10]

Empire

Empire can harvest clipboard data on both Windows and macOS systems.[11]

Helminth

The executable version of Helminth has a module to log clipboard contents.[12]

JHUHUGIT

A JHUHUGIT variant accesses a screenshot saved in the clipboard and converts it to a JPG image.[13]

jRAT

jRAT can capture clipboard data.[14]

Koadic

Koadic can retrieve the current content of the user clipboard.[15]

KONNI

KONNI had a feature to steal data from the clipboard.[16]

MacSpy

MacSpy can steal clipboard contents.[17]

Remcos

Remcos steals and modifies data from the clipboard.[18]

Remexi

Remexi collects text from the clipboard.[19]

RTM

RTM collects data from the clipboard.[20]

RunningRAT

RunningRAT contains code to open and copy data from the clipboard.[21]

TinyZBot

TinyZBot contains functionality to collect information from the clipboard.[22]

VERMIN

VERMIN collects data stored in the clipboard.[23]

Zeus Panda

Zeus Panda can hook GetClipboardData function to watch for clipboard pastes to collect.[24]

Detection

Access to the clipboard is a legitimate function of many applications on a Windows system. If an organization chooses to monitor for this behavior, then the data will likely need to be correlated against other suspicious or non-user-driven activity.

References