Clipboard Data (T1115)

Information

• Name: Clipboard Data

• ID: T1115

• Tactics:

Introduction

Clipboard Data is identified in the MITRE ATT&CK framework as technique T1115 under the "Collection" tactic. Attackers leverage this technique to gather sensitive information by capturing data copied to the clipboard, such as credentials, sensitive documents, or personally identifiable information (PII). Due to the common usage of clipboard functionality by end-users, attackers frequently target clipboards to silently extract sensitive data without raising suspicion.

Deep Dive Into Technique

Clipboard Data collection typically involves malicious software or scripts designed to monitor and capture data being copied to the clipboard. Attackers commonly utilize various execution methods and mechanisms, including:

• Malware Integration: Malicious payloads embedded in trojans, spyware, or RATs (Remote Access Trojans) that continuously monitor clipboard activity.

• Keyloggers with Clipboard Monitoring: Advanced keylogging software that extends functionality to capture clipboard contents.

• Memory Scraping: Malware capable of reading clipboard data directly from memory, circumventing many traditional detection methods.

• Scripts and Utilities:

  • PowerShell scripts designed to periodically dump clipboard data.

  • Python or other scripting languages with clipboard libraries (e.g., pyperclip) to silently monitor and exfiltrate clipboard contents.

• Remote Access Tools: RATs such as DarkComet, Remcos, and Quasar, which include built-in clipboard monitoring and exfiltration functionality.

Real-world procedures typically involve attackers deploying malware via phishing emails, malicious attachments, or compromised websites. Once executed, malware silently monitors clipboard activities, capturing sensitive data such as passwords, credit card numbers, cryptocurrency wallet addresses, or confidential documents, and then exfiltrates this information to attacker-controlled servers.

When this Technique is Usually Used

Attackers commonly employ Clipboard Data collection across multiple stages and scenarios, including:

• Credential Harvesting: Capturing usernames and passwords copied by users from password managers or documents.

• Financial Fraud: Intercepting cryptocurrency wallet addresses and payment information to redirect financial transactions.

• Espionage Campaigns: Collecting sensitive information from targeted organizations, such as intellectual property, proprietary documents, or strategic communications.

• Initial Access and Reconnaissance: Early-stage information gathering to enhance subsequent attack stages, such as privilege escalation or lateral movement.

• Data Exfiltration: Extracting sensitive data after compromising a system or network to facilitate further exploitation or monetization.

How this Technique is Usually Detected

Detection of Clipboard Data collection involves multiple approaches, tools, and indicators:

• Endpoint Detection and Response (EDR) Tools: Solutions such as CrowdStrike Falcon, Microsoft Defender ATP, and Carbon Black monitor suspicious clipboard access and alert on anomalous behavior.

• Behavioral Analysis: Identifying unusual processes or scripts accessing clipboard APIs frequently or at irregular intervals.

• Process Monitoring and Auditing:

  • Monitoring operating system APIs (e.g., Windows API calls like GetClipboardData()).

  • Tracking processes that consistently access clipboard data without user interaction.

• Network Monitoring and Analysis: Detecting data exfiltration attempts through network traffic analysis, identifying unusual outbound connections or data transfers.

• Indicators of Compromise (IoCs):

  • Unrecognized processes regularly accessing clipboard-related APIs.

  • Suspicious scripts (e.g., PowerShell, Python) running persistently in the background.

  • Unusual outbound network connections to unknown IP addresses or domains associated with clipboard data exfiltration.

  • Anomalous log entries indicating frequent clipboard access or data copying events.

Why it is Important to Detect This Technique

Early detection of Clipboard Data collection is critical due to the potential impacts and risks it poses to organizations and individuals, including:

• Credential Theft: Attackers can gain unauthorized access to sensitive accounts, systems, or services by capturing passwords and authentication tokens.

• Financial Loss: Capturing financial information or cryptocurrency wallet addresses can lead to significant monetary losses and fraudulent transactions.

• Data Privacy Violations: Sensitive information, proprietary data, or personal identifiable information (PII) can be exposed, resulting in compliance violations, regulatory penalties, and reputational damage.

• Intellectual Property Theft: Attackers can exfiltrate proprietary or confidential business information, causing competitive disadvantages and strategic losses.

• Facilitation of Further Attacks: Captured clipboard data can enable attackers to escalate privileges, move laterally within networks, or conduct targeted phishing campaigns.

Detecting this technique early can significantly reduce the potential damage and limit attackers' ability to leverage stolen data for further exploitation.

Examples

Real-world examples of Clipboard Data collection include:

• CryptoShuffler Malware (2017):

  • Attack Scenario: Malware silently monitored clipboard data for cryptocurrency wallet addresses.

  • Tools Used: CryptoShuffler malware variant.

  • Impact: Attackers intercepted and replaced victims' cryptocurrency wallet addresses with attacker-controlled addresses, resulting in theft of Bitcoin and other cryptocurrencies totaling hundreds of thousands of dollars.

• Agent Tesla RAT (Remote Access Trojan):

  • Attack Scenario: Widely distributed via phishing emails containing malicious attachments.

  • Tools Used: Agent Tesla RAT, equipped with clipboard monitoring capabilities.

  • Impact: Attackers captured credentials, financial data, and sensitive corporate information, enabling further attacks and financial fraud.

• DarkComet RAT:

  • Attack Scenario: Targeted espionage campaigns against organizations and individuals.

  • Tools Used: DarkComet RAT with built-in clipboard monitoring and exfiltration.

  • Impact: Attackers successfully captured sensitive documents, credentials, and PII, leading to data breaches and significant reputational damage.

• Clipboard Hijacker Malware (Cryptocurrency Theft):

  • Attack Scenario: Malware specifically designed to intercept and replace cryptocurrency wallet addresses copied to clipboard.

  • Tools Used: Custom clipboard hijacking malware variants.

  • Impact: Victims unknowingly transferred cryptocurrency to attacker-controlled wallets, resulting in substantial financial losses.

These examples highlight the importance of understanding, detecting, and mitigating clipboard data collection attacks to protect sensitive information and prevent significant damage to organizations and individuals.