A new clipboard stealer called Laplas Clipper spotted in the wild is using cryptocurrency wallet addresses that look like the address of the victim's intended recipient.
Laplas is different from other malware of the same kind, which are typically just add-ons of info-stealing malware. The new clipper is a feature-rich tool that gives hackers more granular control and better insight into the efficiency of their operations.
The tool is provided under a subscription model, the most expensive tier being $549 for a year's access to the web-based panel that allows operators to monitor and control their attacks.
In about a week, the number of Laplas Clipper samples spotted in the wild grew from less than 20 a day to 55 at the end of last month, security researchers at Cyble note in a report.
Currently, Laplas is distributed through the Smoke Loader and the Raccoon Stealer 2.0, showing that it has attracted the attention of the cybercrime community.
The Laplas approach
Standard clipboard stealers, also called clippers, monitor the Windows clipboard and activate when they detect a cryptocurrency wallet address that users typically copy as the destination for a payment.
When this happens, the clipper changes that address with one belonging to the cybercriminals, thus diverting the payment to the attacker.
To counter this risk, many crypto holders today check if the address in the clipboard is the intended one by comparing a few characters, which makes most clippers less effective.
The developers of Laplas came up with a new approach to deceive keen-eyed crypto users by using addresses that closely resemble the one the victim copied.
It is unclear how the hackers obtain the similar addresses. In tests BleepingComputer made, we were able to generate an address similar to the original input as fast as five seconds.
However, this is significantly more than what it takes an average user to copy and paste, which could raise the suspicions.
One theory is that the hackers pre-generated a massive number of addresses in advance for Laplas to pick the ones that are similar to what the victim used.
Cyble notes that this process happens on the attacker's server so the exact mechanism remains unknown. Identifying an address that is similar to what the victim pasted in the clipboard is done using regular expressions.
Cyble shared with BleepingComputer that their research showed that Laplas retrieved a Bitcoin address that matched the first and last few characters of the one pasted in the clipboard.
However, in the case of Ethereum the address fetched from the attacker's server looked nothing like the original it tried to spoof.
The clipper supports wallet address generation for Bitcoin, Bitcoin Cash, Litecoin, Ethereum, Dogecoin, Monero, Algorand, Ravecoin, Ripple, Zcash, Dash, Ronin, Tron, Tezos, Solana, Cardano, Cosmos, Qtum, and Steam Trade URLs.