The Proxifier Trap: Analyzing the ClipBanker Marathon Infection Chain
Executive Summary
Threat actors are increasingly leveraging trusted developer tools and open-source platforms to bypass traditional security perimeters. Recently, SecLookup tracked a sophisticated campaign distributing the ClipBanker malware through trojanized versions of "Proxifier," a popular network utility. This campaign is notable for its "marathon" infection chain, utilizing multi-stage execution, process injection, and "exotic" defense evasion techniques. By abusing GitHub Releases and employing specialized PowerShell execution methods, the attackers successfully circumvented Microsoft Defender to deploy a clipboard-swapping module designed to steal cryptocurrency. SecLookup’s threat intelligence platform has been actively detecting and blocking the malicious infrastructure associated with this campaign, including the primary command-and-control (C2) domain maper.info.
Threat Analysis: The Infection Lifecycle
The ClipBanker campaign begins with a classic social engineering tactic: SEO poisoning and the exploitation of developer trust.
Stage 1: Initial Access and Delivery
The infection typically starts with a user searching for "Proxifier" via a web search engine. The attackers successfully positioned a malicious GitHub repository near the top of the search results. While the repository itself contains a rudimentary, legitimate-looking proxy service, the Releases section contains the payload: a ZIP archive containing a malicious executable and a text file with "activation keys."
The executable is a malicious wrapper. When launched, it installs the legitimate Proxifier software to maintain the illusion of functionality while simultaneously initiating a silent, multi-stage infection in the background.
Stage 2: Exotic Defense Evasion
The malware's primary objective upon execution is to disable security protections. To avoid detection by Microsoft Defender, the Trojan employs a sophisticated multi-step process:
The Donor Process: The Trojan creates a 1.5 KB stub file in the temporary directory (named
Proxifier<???>.tmp). This file is functionally benign and serves only as a "donor" process.Process Injection: A .NET-based component named
api_updater.exeis injected into the running donor stub.In-Memory PowerShell Execution: To set Defender exclusions without triggering command-line logging or spawning
powershell.exe, the malware uses the PSObject class within the .NET environment. This allows the script to run directly within the current process memory.
The PowerShell script executed via PSObject specifically adds exclusions for all .tmp extensions and the current working directory, effectively creating a "blind spot" for the next stages of the malware to operate within.
Stage 3: The ClipBanker Payload
Once the environment is prepared and defenses are impaired, the trojanized installer extracts and launches the final payload. ClipBanker is a specialized Trojan that monitors the system clipboard for patterns matching cryptocurrency wallet addresses (Bitcoin, Ethereum, etc.). When a match is found, the malware replaces the user's intended destination address with one controlled by the attacker. This results in the user inadvertently sending funds to the threat actor during a transaction.
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Details |
|---|---|---|---|
| Initial Access | Supply Chain Compromise: Trojanized Software | T1195.002 | Use of trojanized "Proxifier" installers on GitHub. |
| Execution | Command and Scripting Interpreter: PowerShell | T1059.001 | Using PowerShell via PSObject for stealth. |
| Defense Evasion | Impair Defenses: Disable or Modify Tools | T1562.001 | Modifying Microsoft Defender exclusions. |
| Defense Evasion | Process Injection | T1055 | Injecting api_updater.exe into a donor stub. |
| Impact | Data Manipulation: Stored Data Manipulation | T1491 | Modifying clipboard data to redirect crypto transactions. |
SecLookup Detection and Protection
SecLookup’s threat intelligence engine has been actively monitoring the infrastructure supporting this ClipBanker campaign. Our platform identified the domain maper.info as a critical component of the distribution and command chain.
SecLookup users were protected via:
Real-time Domain Blocking: The domain
maper.infowas flagged as malicious and blocked across protected endpoints.Hash Identification: The specific file hashes for
api_updater.exeand the trojanized Proxifier wrappers were added to our global blacklist.Behavioral Heuristics: Our platform detects the specific sequence of adding Defender exclusions via unconventional PowerShell callers.
Indicators of Compromise (IOCs)
The following indicators have been identified and confirmed as part of this campaign.
Malicious Domains
maper.info
File Hashes
d85cef60cdb9e8d0f3cb3546de6ab657f9498ac7
8354223cd6198b05904337b5dff7772b
7528bf597fd7764fcb7ec06512e073e0
107484d66423cb601f418344cd648f12
34a0f70ab100c47caaba7a5c85448e3d
97c16182d2e91a9370d5590b670f6b8dc755680552e40218a2b28ec7ad105071
Network URLs
https://pinhole.rootcode.ru/rogers7/dev-api/raw/master/cpzn
https://chiaselinks.com/raw/nkkywvmhux
https://maper.info/2X5tF5
https://gist.github.com/msfcon5ol3/107484d66423cb601f418344cd648f12/raw/d85cef60cdb9e8d0f3cb3546de6ab657f9498ac7/upxz
https://git.parat.swiss/rogers7/dev-api/raw/master/cpzn
https://snippet.host/aaxniv/raw
https://github.com/lukecodix/Proxifier/releases/download/4.12/Proxifier.zip
https://pastebin.com/raw/FmpsDAtQ
https://paste.kealper.com/raw/k3K5aPJQ
https://rlim.com/55Dfq32kaR/raw
Detection Rules
YARA Rules
The following YARA rules can be used to hunt for artifacts associated with this ClipBanker campaign in your environment.
rule Trojan_ClipBanker_Defender_Exclusion {
meta:
description = "Detects malicious .NET behavior adding Defender exclusions for .tmp extensions using PSObject"
author = "SecLookup Threat Intel"
threat_name = "ClipBanker"
strings:
$s1 = "Add-MpPreference" wide ascii
$s2 = "-ExclusionExtension" wide ascii
$s3 = ".tmp" wide ascii
$s4 = "-ExclusionPath" wide ascii
$p1 = "System.Management.Automation.PSObject" wide ascii
$f1 = "api_updater.exe" wide ascii
condition:
uint16(0) == 0x5A4D and (all of (\(s*) or (3 of (\)s*) and (\(p1 or \)f1)))
}
rule Trojan_ClipBanker_Infection_Artifacts {
meta:
description = "Detects specific file names and indicators associated with the ClipBanker infection chain"
author = "SecLookup Threat Intel"
reference = "maper.info"
strings:
$url = "maper.info" wide ascii
$f1 = "api_updater.exe" wide ascii
$f2 = "proxifier.exe" wide ascii
$f3 = "Proxifier" wide ascii
$tmp = /Proxifier.{1,10}\.tmp/ wide ascii
condition:
uint16(0) == 0x5A4D and (\(url or (\)f1 and \(f2) or \)tmp)
}
Recommendations
To mitigate the risk of ClipBanker and similar trojanized software campaigns, SecLookup recommends the following actions:
Software Vetting: Always download software from official, verified vendor websites rather than third-party GitHub repositories or unofficial mirrors.
Monitor Defender Exclusions: Regularly audit Microsoft Defender exclusion lists. Malicious additions to
-ExclusionExtensionor-ExclusionPathare high-fidelity indicators of compromise.Endpoint Detection and Response (EDR): Deploy EDR solutions capable of detecting in-memory PowerShell execution (e.g., via
PSObjector Reflection) and process injection into unusual stubs in the%TEMP%directory.Clipboard Monitoring: For high-value workstations (e.g., those used for crypto transactions), consider security tools that alert on unauthorized clipboard modifications.
Block Malicious Infrastructure: Ensure your DNS and firewall solutions are updated with the IOCs provided above, specifically blocking
maper.infoand known "raw paste" service URLs used for C2.
References
- The long road to your crypto: ClipBanker and its marathon infection chain by Oleg Kupreev, Securelist (Kaspersky GReAT)
