Newly emergent Linux malware ClipXDaemon could facilitate the clandestine takeover of cryptocurrency clipboard data in X11 sessions, resulting in the real-time replacement of copied cryptowallet addresses with attacker-controlled addresses without the need for command-and-control infrastructure, reports The Cyber Express.Intrusions commence with the installation of a loader, whose structure resembles the ShadowHS malware, that executes a bincrypter-generated script to decrypt a memory-resident dropper that proceeds to launch ClipXDaemon, according to an analysis from Cyble Research & Intelligence Labs. After appending an execution line to guarantee persistence without the need for root privileges, scheduled tasks, or systemd services, ClipXDaemon employs double-fork daemonization to bypass inspection tools and then leverages standard X11 APIs to establish a connection with the X server.Tracking of clipboard content is then performed by ClipXDaemon every 200 milliseconds, with the malware analyzing data based on cryptocurrency patterns before replacing them with different attacker-controlled addresses for Monero, Ethereum, Bitcoin, Litecoin, Dogecoin, and Tron wallets. ClipXDaemon's C2-less architecture was noted by researchers to enable direct monetization for attackers.
