Bunny Loader: Another Clipboard malware

[Kemarit]

A newly evolved Clipper and a keylogger called “BunnyLoader”. And we all know that there are a lot of variants of keylogger and clipboard malware that replaces crypto currency wallet with that to a wallet address that this criminal controls. This malware has undergone some transformation already, and it's very clever to see that it will test if your system runs on sandbox and usernames. So the Clipper looks for cryptos:



Also looks for this information to steal:



So it's very important for us crypto enthusiast to learn how to protect from this kind of malware. We need to install the latest anti-virus, and not just to download any crack softwares as this is where this criminals exploited their victims. When we thought that we can get free softwares, but we don't know that the criminals have laded it with a lot of malwares and we will only know until it's too late. And for the Clipper capability of this malware, we should check the details of the addresses that we are going to send to, make sure everything is correct so that we will not be a victim here. And obviously, do not click any links like in our email, maybe it doesn't look suspicious at all, but if we don't know the source or even know the source, we should be very very careful.

https://www.zscaler.com/blogs/security-research/bunnyloader-newest-malware-service

[1714573670]

1714573670

[1714573670]

1714573670

[1714573670]

1714573670

[Churchillvv]

Security consciousness is the first thing everyone of us here should hold firmly, because the more we tryna make things better for us that's the same way hackers are working hard to reduce our efforts. My most serious concern is the fact that the author Poker BL confirm it, to be a fileless loading feature that "makes it difficult for the antiviruses to remove the attackers malware. Which means it might have been in action in ours machines without our notice, so what then can we even do to stop it?. It's really depressing to find this kind of information that your investments or credentials are at risk using your browsers, and most times we can't even avoid using this browser because they are still very important at same time.
Well, thank you for this information because it has created an awareness in us.

[DdmrDdmr]

The article doesn't seem to indicate how the malware is spreading, but the threat library provides entries that reference the initial access being made (or perhaps, likely made) through either a spearphishing attachment or a spearphishing link, some of the most common forms for spreading malware.

Side note:
Using a hardware wallet does not exempt one from being a potential victim to clipboard malware, as some people believe. Though the screen of the device will show you the address you are going to send the TX to, and you can (and should) contrast that against your intended address, you need to check against the original intended address, not the address you copied and pasted on the wallet interface (clipboard malware can change the address between the address you copied, and the pasted address on the wallet’s interface – i.e. Trezor Suite or Ledger Live).

[Faisal2202]

Thanks for bringing this useful information in front of us, I mean hackers are now breaking their limits with such upgradation, but to be honest I am really disappointed to see that they are only selling it for $250 dollars. That's too low. And those who will become victims, who know how much loss they are going to make. 

Overall, the working mechanism of this tool is straightforward, and if they are attacking the above wallets then I am safe Because using none of them (Well this also can be used to filter my address by hackers if they are here on BTT using this tool  )

What pre-cautions should we take besides just not clicking on doubtful emails?

[Findingnemo]

The article doesn't seem to indicate how the malware is spreading, but the threat library provides entries that reference the initial access being made (or perhaps, likely made) through either a spearphishing attachment or a spearphishing link, some of the most common forms for spreading malware.

Bunny loader is basically a trojan that is highly rated for its potential to cause damage to victims based on its nature which is capable of extracting almost everything from your device from keystrokes, browser history, auto-fill details, cookies, and also with the ability to replace the data like wallet addresses.

As you said it mostly affects the system via emails pretending to be one of the services they are already using or random downloads from unknown websites. But it seems highly undetectable as per many cyber security experts and can stay unnoticed forever so the best possible solution is to stay away from downloading it in the first place.

Here is an article that explains how can we manually remove the Bunny loader - MaaS

How to remove BunnyLoader from the operating system

[Yaunfitda]

Thanks for bringing this useful information in front of us, I mean hackers are now breaking their limits with such upgradation, but to be honest I am really disappointed to see that they are only selling it for $250 dollars. That's too low. And those who will become victims, who know how much loss they are going to make. 

I think the group wanted to impressed in the beginning, that's why they are selling it for a cheap price. But as reported, there are upgrades already and it will be upgraded again and again.

Overall, the working mechanism of this tool is straightforward, and if they are attacking the above wallets then I am safe Because using none of them (Well this also can be used to filter my address by hackers if they are here on BTT using this tool  )

What pre-cautions should we take besides just not clicking on doubtful emails?

The moral lesson here is that everyone is vulnerable, no one should think that everyone is safe because you really don't know the extent this cyber criminals can do specially with this kind of weapons. They can even control everything from their command and center (C&C) and monitor what they are doing in your own device. This posts by @LoyceV is very helpful as well with regards to Clipboard malware, How to lose your Bitcoins with CTRL-C CTRL-V.

[348Judah]

This is very important to take note that such attack had been existing before now, this should be a reminder as well that they ain't stopping in this kind of operational mode to attack others and steal their bitcoin, i remember one of the main threads that also introduced how one can loose his bitcoin through ctrl c and ctrl p https://bitcointalk.org/index.php?topic=5190776.0 if we are aware of this kind of malicious attack, we will always stay safe and be unaffected following both recommendations that prevents one from such attack.

[hugeblack]

Installing the latest antivirus software is a poor advice and may be provided by some technical articles, but antiviruses update their database periodically, which means that there may be viruses that are not present in the database, which gives high probability false positive reports.

Using hardware wallets or open source wallets will not change anything here, but rather:

 - Do not install applications that you do not trust.
 - Check the title completely, or at least the first and last 8 characters.
 - Make sure everything is correct before broadcasting the transaction.

[Lucius]

Installing the latest antivirus software is a poor advice and may be provided by some technical articles, but antiviruses update their database periodically, which means that there may be viruses that are not present in the database, which gives high probability false positive reports.

I would not say that this is bad advice, especially if it is a premium AV that updates its database of antivirus definitions several times a day and has good heuristic analysis that can detect viruses/malware even if it is not in the definition database. However, as far as I remember from some previous discussions, clipboard malwares usually cannot be detected using AV, although I don't know if anything has changed in that regard.

Using hardware wallets or open source wallets will not change anything here, but rather:

 - Do not install applications that you do not trust.
 - Check the title completely, or at least the first and last 8 characters.
 - Make sure everything is correct before broadcasting the transaction.

Today it is hard to believe that an app is reliable (trusted) unless it is an app that has millions of downloads and it is possible to verify it before installing it. Even if it is in one of the legitimate app stores, it does not mean that we should consider it 100% safe - and what can we say about those cracked apps that are downloaded via torrents or various suspicious websites.

In much simpler terms, if you know how to behave online, have a solid AV/firewall and don't use cracked software, the chances of picking up something like clipboard malware are very low or none.

[btc_angela]

This is very important to take note that such attack had been existing before now, this should be a reminder as well that they ain't stopping in this kind of operational mode to attack others and steal their bitcoin, i remember one of the main threads that also introduced how one can loose his bitcoin through ctrl c and ctrl p https://bitcointalk.org/index.php?topic=5190776.0 if we are aware of this kind of malicious attack, we will always stay safe and be unaffected following both recommendations that prevents one from such attack.

Yes, this kind of attacks won't top, and on the contrary, they will continue to developed more clipboard malware that is more advanced that the previous one. So very difficult to caught this if our machines are infected already. And I remember that when this kind of malwares are first spotted, there are several members here who reported and fall victims.

And so we already know this kind of attacks and hopefully this is a reminder that this malware is still in existence and so we shouldn't forgot to check everything before sealing our transactions because once is done, we can't revert it back.

[Findingnemo]

Installing the latest antivirus software is a poor advice and may be provided by some technical articles, but antiviruses update their database periodically, which means that there may be viruses that are not present in the database, which gives high probability false positive reports.

Using hardware wallets or open source wallets will not change anything here, but rather:

 - Do not install applications that you do not trust.
 - Check the title completely, or at least the first and last 8 characters.
 - Make sure everything is correct before broadcasting the transaction.

I do agree that anti-virus is not going to detect every malware, especially the newly created ones but for a layman there is no better tool than anti-virus to tackle their cyber security, at least it will be able to detect the known malware.

To protect our crypto assets we can be careful to some extent but these kinds of apps are getting more advanced and I read it is capable of even remote commands so once a system is affected there is a possibility of losing our crypto funds even without any action from our side.

Cybersecurity is the biggest concern of the 21st century, but most people still use Windows, which is at least security-resistant when it comes to avoiding attacks. So, the first thing we should do is install Linux because it offers enhanced security features and greater control over system vulnerabilities, making it a prudent choice for those looking to bolster their online defenses.

[goxcraft]

Clipboard malware is very common nowadays. I had accidentally infected my computer with one of this kind of malware one time. Later had to reinstall windows again, cause I don't use any antivirus software.

Those who are new to this malware, usually confuse the first time. I have seen many accidentally sending their assets without realizing that the original address is replaced with the phishing address. It's pretty sad and dangerous for those who never encountered it. They could loss their entire life savings.

Till now I have seen malware that works as replacing the address. But now that I see, they are programmmer with additional features like stealing saved passwords, I'm a little concern. It's a huge treat for us.

[tabas]

Those who are prone to this type of malware are the ones who keep on downloading from unknown sources on the web and download random files that aren't verified. While it is a good measure to have an anti-virus, the best form of anti-virus is being informed and aware of the potential risk upon downloading files that you're not aware of. Like what we're saying, "prevention is better than cure" and it's also applicable to this. We don't need to wait until our devices are infected by it but avoid any forms of red flags that are likely to get you malware like bunny loader. A usual practice before doing a transaction is not to be lazy checking the address if it's correct or not, and don't get tired of reading each character, letter, and number before pressing the send button. It sounds simple but will help you verify and avoid making a mistake.

[Broadanbig]

I find this pieces of information very helpful and useful. Scammers are never tired of doing the unbelievable. On daily basis, they develop new strategy and gimmicks lurking around to be real with ill intentions of undoing unsuspecting individuals. It takes a smart  person to decipher their codes and know what they are up to this time around as they are now heavily sophisticated with their upgraded techniques of operating. Could it be possible that this could occur by just opening a mail?

[cryptomaniac_xxx]

Installing the latest antivirus software is a poor advice and may be provided by some technical articles, but antiviruses update their database periodically, which means that there may be viruses that are not present in the database, which gives high probability false positive reports.

Using hardware wallets or open source wallets will not change anything here, but rather:

 - Do not install applications that you do not trust.
 - Check the title completely, or at least the first and last 8 characters.
 - Make sure everything is correct before broadcasting the transaction.

I do agree that anti-virus is not going to detect every malware, especially the newly created ones but for a layman there is no better tool than anti-virus to tackle their cyber security, at least it will be able to detect the known malware.

To protect our crypto assets we can be careful to some extent but these kinds of apps are getting more advanced and I read it is capable of even remote commands so once a system is affected there is a possibility of losing our crypto funds even without any action from our side.

Cybersecurity is the biggest concern of the 21st century, but most people still use Windows, which is at least security-resistant when it comes to avoiding attacks. So, the first thing we should do is install Linux because it offers enhanced security features and greater control over system vulnerabilities, making it a prudent choice for those looking to bolster their online defenses.

It is still very important to update our anti-virus, of course its a game for this cyber criminals, they created new variants of their malware/virus try to spread to to many forms and once the anti-virus company get ahold of this, they will study and make it to their database.

Linux or any other flavor of Unix per se, it might be good as a detrimental or to some extend some IOS device too. As they are target least by this cyber criminals as compare to Windows which is like 80% of laptop/pc users are under this operating system.

[lovesmayfamilis]

Try to delete all cookies after you visit the Internet, and set a time after which the session will automatically end if you are inactive. Sometimes hackers can recover session IDs from cookies and, from there, get user passwords and gain full control of the computer. You won’t even know who can surf the Internet with you at the same time if a hacker adds a RAT (remote access Trojan) to your computer. In addition, check the files that are added to your startup. Although, of course, we know that viruses are now hidden under popular processes in the Windows system, you can track the folder in which they may be located.

Could it be possible that this could occur by just opening a mail?

If you open an attachment that is in an email, it is almost always guaranteed that your computer will be infected. This will not happen if you simply open an email. Never click on links.

[Faisal2202]

I think the group wanted to impressed in the beginning, that's why they are selling it for a cheap price. But as reported, there are upgrades already and it will be upgraded again and again.

Of course, Its just a marketing technique to sell a product in cheaper amount at start and when it starts to make scammers some money then they will of course increase the prices. I was just thinking, that if this tools really works in a efficient way that the sellers said, then why bothering to sell others and not using it by themselves.

Ok, I got it, they want to divert or distribute the interest of authorities (I mean when there will be more users of this tools <--Buyers). In simple words, they want to stay off the radar. But what other than this.

The moral lesson here is that everyone is vulnerable, no one should think that everyone is safe because you really don't know the extent this cyber criminals can do specially with this kind of weapons. They can even control everything from their command and center (C&C) and monitor what they are doing in your own device. This posts by @LoyceV is very helpful as well with regards to Clipboard malware, How to lose your Bitcoins with CTRL-C CTRL-V.

Thanks for mentioning the thread, it was really a good reminder but I was already aware of such attacks knows as Address poisonings attacks and that's why whenever I send money from one to another address, I totally check the letter one by one. Because it only take few seconds to verify it, and it is far better than regretting later.

[Dr.Bitcoin_Strange]

Frequently, I use my mobile phone to carry out transactions, and I have not experienced any of these clipboard malwares on my phone. Although I know that there are malwares attack here and there, I am always careful about the sites I visit and things I download on my phone. Last month I came across a thread where the OP was warning users against downloading any keyboard app on their mobile because most of those keyboard apps contain malware, and anyone who is not just familiar with the space can easily fall victim. My PC is protected with strong anti-virus software (TotalAV), and I have not experienced any clipboard issues on the PC. I know that since I first heard about the clipboard virus, I have always been careful because I don't want to be a victim and lose my asset to those hackers.

[EL MOHA]

Frequently, I use my mobile phone to carry out transactions, and I have not experienced any of these clipboard malwares on my phone. Although I know that there are malwares attack here and there, I am always careful about the sites I visit and things I download on my phone. Last month I came across a thread where the OP was warning users against downloading any keyboard app on their mobile because most of those keyboard apps contain malware, and anyone who is not just familiar with the space can easily fall victim. My PC is protected with strong anti-virus software (TotalAV), and I have not experienced any clipboard issues on the PC. I know that since I first heard about the clipboard virus, I have always been careful because I don't want to be a victim and lose my asset to those hackers.

Yes there are people that actually get lucky not to this things caught but do not be too certain on things like this. Even with the latest or strong anti-virus they can still get caught and the bad thing is even you wouldn’t easily find out that you have got caught. The best thing is to try as much as possible to avoid downloading just any application and one should check their transactions details like the address properly before broadcasting them. And if you have much funds try to get them off online wallets, don’t get too comfortable with them because hackers can strike where you list expected them

[nelson4lov]

Frequently, I use my mobile phone to carry out transactions, and I have not experienced any of these clipboard malwares on my phone. Although I know that there are malwares attack here and there, I am always careful about the sites I visit and things I download on my phone. Last month I came across a thread where the OP was warning users against downloading any keyboard app on their mobile because most of those keyboard apps contain malware, and anyone who is not just familiar with the space can easily fall victim. My PC is protected with strong anti-virus software (TotalAV), and I have not experienced any clipboard issues on the PC. I know that since I first heard about the clipboard virus, I have always been careful because I don't want to be a victim and lose my asset to those hackers.

Being careful is great. It's how we can avoid exposing ourselves to these malwares and other possible attack vectors. As long as you're careful about what links you click and what files you download to your devices, you're good to go.  Another note about Antivirus programs is that they can only provide you so much security which is why Antivirus is not a hot topic in security discussions these days. It's nice to have though.

For keyboard apps, it might be true. As a matter of fact, Apple doesn't let users to use 3rd party keyboards when it comes to entering sensitive details like passwords, keys, etc.