|Platform||Linux, macOS, Windows|
|Data Sources||API monitoring|
Adversaries may collect data stored in the Windows clipboard from users copying information within or between applications.
Applications can access clipboard data by using the Windows API.1
OSX provides a native command,
pbpaste, to grab clipboard contents 2.
- CosmicDuke copies and exfiltrates the clipboard contents every 30 seconds.3
- The executable version of Helminth has a module to log clipboard contents.4
- A JHUHUGIT variant accesses a screenshot saved in the clipboard and converts it to a JPG image.5
- RTM collects data from the clipboard.6
- TinyZBot contains functionality to collect information from the clipboard.7
Instead of blocking software based on clipboard capture behavior, identify potentially malicious software that may contain this functionality, and audit and/or block it by using whitelisting8 tools, like AppLocker,910 or Software Restriction Policies11 where appropriate.12
Access to the clipboard is a legitimate function of many applications on a Windows system. If an organization chooses to monitor for this behavior, then the data will likely need to be correlated against other suspicious or non-user-driven activity.
- Microsoft. (n.d.). About the Clipboard. Retrieved March 29, 2016.
- rvrsh3ll. (2016, May 18). Operating with EmPyre. Retrieved July 12, 2017.
- F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014.
- Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
- Unit 42. (2018, February 28). Unit 42 Playbook Viewer - Sofacy. Retrieved March 15, 2018.
- Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
- Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.
- Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
- Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
- NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
- Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.
- Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.