1. Home
  2. Techniques
  3. Enterprise
  4. 剪贴板数据

剪贴板数据

ID Name
T1115.001 内存驻留型剪贴板监听
T1115.002 内容特征筛选型数据捕获
T1115.003 伪造进程上下文剪贴板访问
T1115.004 加密隧道化剪贴板数据传输

剪贴板数据窃取是指攻击者通过监控系统剪贴板内容获取敏感信息的技术手段。攻击者利用操作系统提供的剪贴板访问接口(如Windows的clip.exe或macOS的pbpaste),在用户复制粘贴操作过程中窃取凭证、加密密钥等高价值数据。传统防御手段主要通过监控剪贴板访问行为异常(如非用户主动触发的读取操作)或检测可疑进程的API调用模式进行防护。

为规避传统检测机制,攻击者发展出多种剪贴板数据窃取匿迹技术,通过内存驻留、内容过滤、进程伪装及加密隧道等手法,将恶意行为深度融入正常系统操作与网络流量中,形成"低暴露、高精准"的新型数据窃取范式。

当前剪贴板数据窃取匿迹技术的核心在于构建多维度的行为合法性证明与数据流动隐蔽性保障。攻击者通过无文件化内存操作规避磁盘检测,利用智能内容过滤降低数据泄露频次,借助进程上下文伪装破坏行为关联分析,并采用加密隧道技术隐藏数据传输痕迹。四类技术的共性特征体现在:1)深度利用系统合法机制掩盖恶意意图,如通过可信进程加载或协议合规封装实现"白利用";2)引入智能决策层优化攻击效率,如基于语义分析的精准窃取降低暴露风险;3)构建分层加密体系对抗流量审计,如将数据分片嵌入多协议流量实施隐蔽传输。这些技术突破传统基于单一维度(如API调用监控)的防御体系,要求防御方建立跨内存行为分析、进程行为建模与加密流量解析的综合防护能力。

匿迹技术的演进导致基于规则匹配的静态检测方法失效,防御方需采用用户行为基线分析、内存取证检测、加密流量元数据分析等技术,结合剪贴板访问上下文的多维度关联,构建动态威胁感知体系。同时应强化进程权限管控,限制非必要应用的剪贴板访问权限。

ID: T1115
Sub-techniques:  T1115.001, T1115.002, T1115.003, T1115.004
Tactic: 信息收集
Platforms: Linux, Windows, macOS
Version: 1.2
Created: 31 May 2017
Last Modified: 14 April 2023

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

特征伪装

攻击者通过伪造合法进程的剪贴板访问模式,使恶意行为在API调用序列、内存操作特征等维度与正常应用操作高度相似。例如劫持可信软件的剪贴板处理流程,复用其数字签名与资源访问凭证,实现恶意代码的"合法化"伪装。

行为透明

采用内存驻留与无文件化技术,避免在磁盘或注册表留下可检测痕迹。通过挂钩系统内核级剪贴板管理接口,直接操作内存数据缓冲区,使得传统基于文件监控或进程行为分析的防御机制难以察觉异常。

数据遮蔽

使用前向安全加密算法与协议隧道化技术对窃取数据进行多层加密处理,将原始内容隐藏在HTTPS、DNS等合法协议流量中。加密密钥动态协商机制确保每次传输的加密特征唯一,有效对抗流量内容解密与特征提取。

Procedure Examples

ID Name Description
S0331 Agent Tesla

Agent Tesla can steal data from the victim’s clipboard.[1][2][3][4]
G0082 APT38

APT38 used a Trojan called KEYLIME to collect data from the clipboard.[5]
G0087 APT39

APT39 has used tools capable of stealing contents of the clipboard.[6]
S0373 Astaroth

Astaroth collects information from the clipboard by using the OpenClipboard() and GetClipboardData() libraries. [7]
S0438 Attor

Attor has a plugin that collects data stored in the Windows clipboard by using the OpenClipboard and GetClipboardData APIs.[8]
S0454 Cadelspy

Cadelspy has the ability to steal data from the clipboard.[9]
S0261 Catchamas

Catchamas steals data stored in the clipboard.[10]
S1149 CHIMNEYSWEEP

CHIMNEYSWEEP can capture content from the clipboard.[11]
S0660 Clambling

Clambling has the ability to capture and store clipboard data.[12][13]
S0050 CosmicDuke

CosmicDuke copies and exfiltrates the clipboard contents every 30 seconds.[14]
S0334 DarkComet

DarkComet can steal data from the clipboard.[15]
S1111 DarkGate

DarkGate starts a thread on execution that captures clipboard data and logs it to a predefined log file.[16]
S1066 DarkTortilla

DarkTortilla can download a clipboard information stealer module.[17]
S0363 Empire

Empire can harvest clipboard data on both Windows and macOS systems.[18]
S0569 Explosive

Explosive has a function to use the OpenClipboard wrapper.[19]

S0381 FlawedAmmyy

FlawedAmmyy can collect clipboard data.[20]
S0531 Grandoreiro

Grandoreiro can capture clipboard data from a compromised host.[21]
S0170 Helminth

The executable version of Helminth has a module to log clipboard contents.[22]
S0044 JHUHUGIT

A JHUHUGIT variant accesses a screenshot saved in the clipboard and converts it to a JPG image.[23]
S0283 jRAT

jRAT can capture clipboard data.[24]
S0250 Koadic

Koadic can retrieve the current content of the user clipboard.[25]
S0356 KONNI

KONNI had a feature to steal data from the clipboard.[26]
S0409 Machete

Machete hijacks the clipboard data by creating an overlapped window that listens to keyboard events.[27][28]

S0282 MacSpy

MacSpy can steal clipboard contents.[29]
S0652 MarkiRAT

MarkiRAT can capture clipboard content.[30]
S0530 Melcoz

Melcoz can monitor content saved to the clipboard.[31]
S0455 Metamorfo

Metamorfo has a function to hijack data from the clipboard by monitoring the contents of the clipboard and replacing the cryptocurrency wallet with the attacker's.[32][33]
S1146 MgBot

MgBot can capture clipboard data.[34][35]
S1122 Mispadu

Mispadu has the ability to capture and replace Bitcoin wallet data in the clipboard on a compromised host.[36]
C0014 Operation Wocao

During Operation Wocao, threat actors collected clipboard data in plaintext.[37]
S0332 Remcos

Remcos steals and modifies data from the clipboard.[38]
S0375 Remexi

Remexi collects text from the clipboard.[39]
S0240 ROKRAT

ROKRAT can extract clipboard data from a compromised host.[40]
S0148 RTM

RTM collects data from the clipboard.[41][42]
S0253 RunningRAT

RunningRAT contains code to open and copy data from the clipboard.[43]
S0692 SILENTTRINITY

SILENTTRINITY can monitor Clipboard text and can use System.Windows.Forms.Clipboard.GetText() to collect data from the clipboard.[44]

S0467 TajMahal

TajMahal has the ability to steal data from the clipboard of an infected host.[45]
S0004 TinyZBot

TinyZBot contains functionality to collect information from the clipboard.[46]
S0257 VERMIN

VERMIN collects data stored in the clipboard.[47]
S0330 Zeus Panda

Zeus Panda can hook GetClipboardData function to watch for clipboard pastes to collect.[48]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments to collect data stored in the clipboard from users copying information within or between applications.
DS0009 Process OS API Execution

Monitor API calls that could collect data stored in the clipboard from users copying information within or between applications.

References

  1. Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018.
  2. Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018.
  3. Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018.
  4. Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020.
  5. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.
  6. Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020.
  7. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.
  8. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  9. Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019.
  10. Balanza, M. (2018, April 02). Infostealer.Catchamas. Retrieved July 10, 2018.
  11. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
  12. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  13. Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021.
  14. F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014.
  15. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
  16. Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.
  17. Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022.
  18. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  19. Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021.
  20. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
  21. Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020.
  22. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  23. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  24. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
  1. Magius, J., et al. (2017, July 19). Koadic. Retrieved September 27, 2024.
  2. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.
  3. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  4. Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019.
  5. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  6. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.
  7. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.
  8. Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020.
  9. ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021.
  10. Facundo Muñoz. (2023, April 26). Evasive Panda APT group delivers malware via updates for popular Chinese software. Retrieved July 25, 2024.
  11. Threat Hunter Team. (2023, April 20). Daggerfly: APT Actor Targets Telecoms Company in Africa. Retrieved July 25, 2024.
  12. ESET Security. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved March 13, 2024.
  13. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  14. Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018.
  15. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.
  16. Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021.
  17. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  18. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.
  19. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
  20. byt3bl33d3r. (n.d.). SILENTTRINITY. Retrieved September 12, 2024.
  21. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
  22. Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.
  23. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
  24. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.