T1115 Clipboard Data
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
For example, on Windows adversaries can access clipboard data by using clip.exe
or Get-Clipboard
.431 Additionally, adversaries may monitor then replace users’ clipboard with their data (e.g., Transmitted Data Manipulation).2
macOS and Linux also have commands, such as pbpaste
, to grab clipboard contents.5
Item | Value |
---|---|
ID | T1115 |
Sub-techniques | |
Tactics | TA0009 |
Platforms | Linux, Windows, macOS |
Version | 1.2 |
Created | 31 May 2017 |
Last Modified | 14 April 2023 |
Procedure Examples
ID | Name | Description |
---|---|---|
S0331 | Agent Tesla | Agent Tesla can steal data from the victim’s clipboard.18192021 |
G0082 | APT38 | APT38 used a Trojan called KEYLIME to collect data from the clipboard.46 |
G0087 | APT39 | APT39 has used tools capable of stealing contents of the clipboard.45 |
S0373 | Astaroth | Astaroth collects information from the clipboard by using the OpenClipboard() and GetClipboardData() libraries. 31 |
S0438 | Attor | Attor has a plugin that collects data stored in the Windows clipboard by using the OpenClipboard and GetClipboardData APIs.22 |
S0454 | Cadelspy | Cadelspy has the ability to steal data from the clipboard.34 |
S0261 | Catchamas | Catchamas steals data stored in the clipboard.33 |
S0660 | Clambling | Clambling has the ability to capture and store clipboard data.3536 |
S0050 | CosmicDuke | CosmicDuke copies and exfiltrates the clipboard contents every 30 seconds.42 |
S0334 | DarkComet | DarkComet can steal data from the clipboard.23 |
S1066 | DarkTortilla | DarkTortilla can download a clipboard information stealer module.39 |
S0363 | Empire | Empire can harvest clipboard data on both Windows and macOS systems.8 |
S0569 | Explosive | Explosive has a function to use the OpenClipboard wrapper.37 |
S0381 | FlawedAmmyy | FlawedAmmyy can collect clipboard data.43 |
S0531 | Grandoreiro | Grandoreiro can capture clipboard data from a compromised host.12 |
S0170 | Helminth | The executable version of Helminth has a module to log clipboard contents.10 |
S0044 | JHUHUGIT | A JHUHUGIT variant accesses a screenshot saved in the clipboard and converts it to a JPG image.27 |
S0283 | jRAT | jRAT can capture clipboard data.44 |
S0250 | Koadic | Koadic can retrieve the current content of the user clipboard.7 |
S0356 | KONNI | KONNI had a feature to steal data from the clipboard.16 |
S0409 | Machete | Machete hijacks the clipboard data by creating an overlapped window that listens to keyboard events.2425 |
S0282 | MacSpy | MacSpy can steal clipboard contents.29 |
S0652 | MarkiRAT | MarkiRAT can capture clipboard content.28 |
S0530 | Melcoz | Melcoz can monitor content saved to the clipboard.17 |
S0455 | Metamorfo | Metamorfo has a function to hijack data from the clipboard by monitoring the contents of the clipboard and replacing the cryptocurrency wallet with the attacker’s.4041 |
C0014 | Operation Wocao | During Operation Wocao, threat actors collected clipboard data in plaintext.47 |
S0332 | Remcos | Remcos steals and modifies data from the clipboard.6 |
S0375 | Remexi | Remexi collects text from the clipboard.9 |
S0240 | ROKRAT | ROKRAT can extract clipboard data from a compromised host.26 |
S0148 | RTM | RTM collects data from the clipboard.1415 |
S0253 | RunningRAT | RunningRAT contains code to open and copy data from the clipboard.11 |
S0467 | TajMahal | TajMahal has the ability to steal data from the clipboard of an infected host.38 |
S0004 | TinyZBot | TinyZBot contains functionality to collect information from the clipboard.32 |
S0257 | VERMIN | VERMIN collects data stored in the clipboard.13 |
S0330 | Zeus Panda | Zeus Panda can hook GetClipboardData function to watch for clipboard pastes to collect.30 |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0009 | Process | OS API Execution |
References
-
CISA. (2021, August 20). Alert (AA21-200B) Chinese State-Sponsored Cyber Operations: Observed TTPs. Retrieved June 21, 2022. ↩
-
Maljic, T. (2020, April 16). Mining for malicious Ruby gems. Retrieved October 15, 2022. ↩
-
Microsoft, JasonGerend, et al. (2023, February 3). clip. Retrieved June 21, 2022. ↩
-
Microsoft. (n.d.). About the Clipboard. Retrieved March 29, 2016. ↩
-
rvrsh3ll. (2016, May 18). Operating with EmPyre. Retrieved July 12, 2017. ↩
-
Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018. ↩
-
Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018. ↩
-
Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. ↩
-
Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019. ↩
-
Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017. ↩
-
Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018. ↩
-
Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020. ↩
-
Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018. ↩
-
Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017. ↩
-
Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020. ↩
-
Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018. ↩
-
GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020. ↩
-
Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018. ↩
-
Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018. ↩
-
Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018. ↩
-
Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020. ↩
-
Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020. ↩
-
Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018. ↩
-
ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019. ↩
-
Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019. ↩
-
Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021. ↩
-
Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017. ↩
-
GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021. ↩
-
Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018. ↩
-
Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018. ↩
-
Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019. ↩
-
Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017. ↩
-
Balanza, M. (2018, April 02). Infostealer.Catchamas. Retrieved July 10, 2018. ↩
-
Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019. ↩
-
Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021. ↩
-
Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021. ↩
-
Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021. ↩
-
GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019. ↩
-
Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022. ↩
-
Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020. ↩
-
ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021. ↩
-
F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014. ↩
-
Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022. ↩
-
Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019. ↩
-
Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020. ↩
-
FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018. ↩
-
Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. ↩