MITRE ATT&CK: Clipboard data
Introduction
Copying data to a Windows or macOS system clipboard is a well-known time saver that many take advantage of, myself included. The problem with this little time-saving shortcut is that due to some internal mechanisms of the clipboard function, attackers can collect data from the clipboard. This aids attackers in their efforts and creates a bigger problem for the end user than their original problem of having to type information.
This article will detail the problem with clipboard data generally, explore the different categories of clipboard data attacks and examine some real-world examples of these attacks in the context of the different attack types. If this is the first you have heard about this type of attack, prepare for a solid primer that will get you caught up to speed.
MITRE ATT&CK
MITRE is a not-for-profit corporation dedicated to solving problems for a safer world. Beginning as a systems engineering company in 1958, MITRE has added new technical and organization capabilities to its knowledge base — including cybersecurity.
To this end, MITRE released the MITRE ATT&CK list as a globally accessible knowledge base of adversary techniques and tactics based on real-world observations. This information can then be used as the basis for the foundation of the development of threat models and methodologies for cybersecurity product/service community, private sector and government use.
For more information, the MITRE ATT&CK matrix can be found here.
What is a clipboard data attack?
Saving information to a desktop or Android clipboard is a common time-saving function, though the amount of time saved is rather small. Attackers have different ways of reaching this information, based upon the system it is occurring on. For Windows systems, Windows API is used; for macOS, attackers use the command pbpaste.
Clipboard data attacks are a type of system feature abuse, which makes it particularly difficult to prevent and mitigate.
Types
It may appear that clipboard data attacks are all the same, but there are some notable differences. These differences mostly stem from the fact that clipboard data attacks originate in a wide array of diverse malware that all have different functionalities. These types of clipboard data attacks are:
- Stealing/collecting clipboard data
- Converting files in the clipboard
- Exploiting OpenClipboard() and GetClipboardData() libraries in Windows
- Copying and exfiltrating clipboard data at a prescribed interval (such as once every 30 seconds)
- Harvesting clipboard data
Real-world examples
Organizations have fallen victim to clipboard data attacks for some time now. Below is a list of real-world examples that illustrate the different types enumerated above.
DarkComet
Developed in 2008, this RAT (remote administration tool) has multiple control features, one of which is the ability to steal data stored in clipboards. This makes it an example of the first type of clipboard data attack above.
Being a RAT, DarkComet is designed as a legitimate administrator tool but can easily be used for malicious purposes. DarkComet is currently on its fourth official version with 70,000 downloads, making this one of the more widely-used RAT solutions. There are no official numbers on how many downloads have been used maliciously.
JHUHUGIT
JHUHUGIT is a malware that represents the file-converting type of clipboard data theft mentioned above. It was created by hacking group APT28 and a JHUHUGIT variant has been used against a wide range of high-profile victims, including NATO.
It has the ability to access screenshots in the clipboard and then convert them to JPEG files. This is a departure from the usual stealing/collecting of clipboard data and presents a foray into modification and manipulation of clipboard data. With the creativity of attackers surprising people as much as it does, I am sure we will this type of attack involving other file types in the not-too-distant future.
Astaroth
This fileless malware is an information stealer and an example of a clipboard data attack that uses the OpenClipboard() and GetClipboardData() libraries in Windows systems to steal information. It does this by exploiting the information contained in OpenClipboard() and GetClipboardData() to monitor the clipboard of the compromised Windows system.
Astaroth affects mainly Brazil- and Europe-based organizations and has been around since 2017. Microsoft announced in July of 2019 that it has defeated this fileless menace with Microsoft Defender ATP.
CosmicDuke
Developed by APT29, CosmicDuke is a backdoor that uses BotGenStudio, a customizable framework with an extensive functionality set. It steals clipboard data with a clipboard grabber that will copy and exfiltrate clipboard data once every 30 seconds. This menace was first seen in 2010, eventually felling 34 unique victims in the United States. APT29 has apparently stopped using CosmicDuke as of 2015.
Empire
This type of malware is an example of the harvesting method of collecting clipboard data. Empire does this by monitoring the clipboard of a compromised system for changes to copied text. When changes occur, it takes a screenshot of the clipboard information and essentially harvests as frequently as the attacker wants it to.
Empire has earned honorable mention on this list because its maliciously affects both Windows and macOS systems.
Conclusion
Clipboard data attacks are a type of information collecting that, most times, is included in a piece of malware. It takes advantage of the loose clipboard security based on the fact that multiple applications may need to use the clipboard, which affects the feature’s security.
Different malware uses clipboard data attacks, which means there is a diverse range of methods to steal or collect information residing in the compromised system’s clipboard. While some of the threats above have been shut down, clipboard data attacks are a persisting threat that uses the weaknesses of systems against those systems.
Sources
- Clipboard Data, MITRE
- Malware Analysis - Dark Comet RAT, Context Information Security UK
- Russia-Linked APT28 group observed using DDE attack to deliver malware, Security Affairs
- Microsoft sounds the alarms over hard-to-detect Astaroth malware, The Inquirer
- Empire, GitHub