Researchers from Cyble have discovered a new Clipper malware called Keona Clipper.

The Clipper malware is able to redirect payments in cryptocurrencies to wallets controlled by attackers. To do this, Keona Clipper constantly monitors the contents of a user’s clipboard and searches for cryptocurrency wallets.

Clipper malware is usually distributed in the form of trojanized applications that can be downloaded from the internet. The aim of the malware is to steal money or financial details by exploiting the Windows clipboard.

Keona Clipper was developed in the .NET programming language and protected by Confuser 1.x. Researchers identified more than 90 different Keona samples since May 2022, showing wide deployment.

Once executed, the malware notifies an attacker-controlled Telegram bot via the Telegram API. In situations where the computer is restarted, the malware also ensures that it is always running. This is achieved by creating autostart entries in the Windows registry.

To ensure persistence, the malware copies itself to several locations, including the Administrative Tools folder and the Startup folder.

After deployment, Keona Clipper silently monitors each clipboard and uses regular expressions to search for crypto wallets. As soon as a wallet is found, it is immediately replaced in the clipboard by a wallet address provided by the attacker.