Clipboard Data

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

In Windows, Applications can access clipboard data by using the Windows API.[1] OSX provides a native command, pbpaste, to grab clipboard contents.[2]

ID: T1115
Sub-techniques:  No sub-techniques
Tactic: Collection
Platforms: Linux, Windows, macOS
Data Sources: Command: Command Execution, Process: OS API Execution
CAPEC ID: CAPEC-637
Version: 1.1
Created: 31 May 2017
Last Modified: 23 April 2020

Procedure Examples

ID Name Description
S0331 Agent Tesla

Agent Tesla can steal data from the victim’s clipboard.[3][4][5][6]

G0082 APT38

APT38 used a Trojan called KEYLIME to collect data from the clipboard.[7]

G0087 APT39

APT39 has used tools capable of stealing contents of the clipboard.[8]

S0373 Astaroth

Astaroth collects information from the clipboard by using the OpenClipboard() and GetClipboardData() libraries. [9]

S0438 Attor

Attor has a plugin that collects data stored in the Windows clipboard by using the OpenClipboard and GetClipboardData APIs.[10]

S0454 Cadelspy

Cadelspy has the ability to steal data from the clipboard.[11]

S0261 Catchamas

Catchamas steals data stored in the clipboard.[12]

S0050 CosmicDuke

CosmicDuke copies and exfiltrates the clipboard contents every 30 seconds.[13]

S0334 DarkComet

DarkComet can steal data from the clipboard.[14]

S0363 Empire

Empire can harvest clipboard data on both Windows and macOS systems.[15]

S0569 Explosive

Explosive has a function to use the OpenClipboard wrapper.[16]

S0531 Grandoreiro

Grandoreiro can capture clipboard data from a compromised host.[17]

S0170 Helminth

The executable version of Helminth has a module to log clipboard contents.[18]

S0044 JHUHUGIT

A JHUHUGIT variant accesses a screenshot saved in the clipboard and converts it to a JPG image.[19]

S0283 jRAT

jRAT can capture clipboard data.[20]

S0250 Koadic

Koadic can retrieve the current content of the user clipboard.[21]

S0356 KONNI

KONNI had a feature to steal data from the clipboard.[22]

S0409 Machete

Machete hijacks the clipboard data by creating an overlapped window that listens to keyboard events.[23][24]

S0282 MacSpy

MacSpy can steal clipboard contents.[25]

S0530 Melcoz

Melcoz can monitor content saved to the clipboard.[26]

S0455 Metamorfo

Metamorfo has a function to receive data from the system clipboard.[27]

G0116 Operation Wocao

Operation Wocao has collected clipboard data in plaintext.[28]

S0332 Remcos

Remcos steals and modifies data from the clipboard.[29]

S0375 Remexi

Remexi collects text from the clipboard.[30]

S0148 RTM

RTM collects data from the clipboard.[31][32]

S0253 RunningRAT

RunningRAT contains code to open and copy data from the clipboard.[33]

S0467 TajMahal

TajMahal has the ability to steal data from the clipboard of an infected host.[34]

S0004 TinyZBot

TinyZBot contains functionality to collect information from the clipboard.[35]

S0257 VERMIN

VERMIN collects data stored in the clipboard.[36]

S0330 Zeus Panda

Zeus Panda can hook GetClipboardData function to watch for clipboard pastes to collect.[37]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Access to the clipboard is a legitimate function of many applications on an operating system. If an organization chooses to monitor for this behavior, then the data will likely need to be correlated against other suspicious or non-user-driven activity.

References

  1. Microsoft. (n.d.). About the Clipboard. Retrieved March 29, 2016.
  2. rvrsh3ll. (2016, May 18). Operating with EmPyre. Retrieved July 12, 2017.
  3. Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018.
  4. Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018.
  5. Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018.
  6. Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020.
  7. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.
  8. Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020.
  9. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.
  10. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  11. Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019.
  12. Balanza, M. (2018, April 02). Infostealer.Catchamas. Retrieved July 10, 2018.
  13. F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014.
  14. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
  15. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  16. Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021.
  17. Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020.
  18. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  19. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  1. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
  2. Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018.
  3. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.
  4. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  5. Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019.
  6. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  7. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.
  8. Zhang, X.. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020.
  9. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  10. Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018.
  11. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.
  12. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  13. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.
  14. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
  15. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
  16. Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.
  17. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
  18. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.