Name Laplas Type of Malware Clipper Location – Country of Origin Russia Date of initial activity 2022 Associated Groups APT28 ( Fancy Bear, Sofacy ), APT34 ( Nobelium, Cozy Bear ) Lazarus Group ( Hidden Cobra ) Motivation The goal of clipper malware like Laplas is to hijack a virtual currency transaction intended for a legitimate recipient to a wallet owned by the threat actor. Attack Vectors Phishing emails, Malware-infected websites, Drive-by download, USB drives, P2P file sharing Targeted System Windows, macOS, Linux, Android, iOS

Overview

Laplas is a clipper malware that spreads via other malware. Currently, the downloader SmokeLoader is spreading Laplas via phishing emails that contain malicious documents.

Targets

• Cryptocurrency users

• Government and military organizations

• Financial institutions

• Businesses Individuals

Tools/ Techniques Used

This malware hijacks a cryptocurrency transaction by swapping a victim’s wallet address with the wallet address owned by TAs.

Impact / Significant Attacks

In November 2022, Laplas malware was used to steal cryptocurrency from a number of victims. The malware was delivered through phishing emails that appeared to be from a legitimate cryptocurrency exchange. When victims opened the emails, they were tricked into clicking on a malicious link that installed the malware on their computers. The malware then stole the victims’ cryptocurrency wallet addresses and passwords, which were then used to steal their cryptocurrency.

In December 2022, Laplas malware was used to attack a number of government and military organizations in the United States. The malware was delivered through spear phishing emails that targeted specific individuals at these organizations. When the victims opened the emails, they were tricked into clicking on a malicious link that installed the malware on their computers. The malware then stole the victims’ sensitive information, such as passwords, credit card numbers, and government clearances.

In January 2023, Laplas malware was used to attack a number of financial institutions in Europe. The malware was delivered through phishing emails that appeared to be from a legitimate financial institution. When victims opened the emails, they were tricked into clicking on a malicious link that installed the malware on their computers. The malware then stole the victims’ banking information, which was then used to steal their money.

Indicators of Compromise (IoCs)

Domains

Clipper[.]guru

IPs

185[.]223[.]93[.]251
188[.]34[.]207[.]137
45[.]159[.]189[.]105
79[.]137[.]199[.]252

References

1. New Laplas Clipper Distributed via SmokeLoader

2. New Laplas Clipper Malware Targeting Cryptocurrency Users via SmokeLoader

3. Top 10 Malware Q1 2023

The post Laplas ( Clipper ) – Malware first appeared on CyberMaterial.