10 Critical Steps in ClipBanker's Marathon Infection Chain: How a Search for Proxifier Leads to Crypto Theft

At the start of the year, cybersecurity researchers uncovered a particularly insidious Trojan dubbed ClipBanker, notorious for its extraordinarily long and intricate infection chain. What makes this threat stand out is how it leverages a seemingly innocent search for proxifier software to initiate a multi-stage attack. The journey from a simple web query to full-fledged cryptocurrency theft is a masterclass in persistence and stealth. This article breaks down the ten essential phases of ClipBanker's marathon infection process, providing a clear roadmap of how it operates at each step.

1. The Search Trigger: Searching for ‘Proxifier’

Everything begins when a user searches for the term “Proxifier” in a popular search engine. Proxifiers are legitimate tools that allow non-proxy-aware applications to route traffic through a proxy server—commonly used in secure development environments. However, attackers have carefully manipulated search results to lead victims to a dangerous destination. Among the top search results lies a link to a GitHub repository, cleverly disguised as a helpful resource. This seemingly innocuous search is actually the first step in a carefully orchestrated trap designed to lure unsuspecting users into the infection chain.

2. The GitHub Repository Trap: A Fake Proxy Service

The GitHub repository in question claims to host the source code for a basic proxy service. While the code itself is harmless, the real danger lurks in the Releases section. Here, users find an archive containing an executable file and a text document. The executable is actually a malicious wrapper bundled around the legitimate Proxifier installer from VentoByte. The text document conveniently provides activation keys for the software, making the package appear entirely authentic. This clever ruse tricks users into downloading and running the trojanized installer, thinking they are simply setting up a useful utility.

3. First Defense Bypass: Adding Microsoft Defender Exclusions

Once the malicious executable is launched, ClipBanker’s first priority is to disable Windows Defender’s protection. It achieves this by adding exclusions for all files with a .tmp extension and for the directory where the executable resides. This is a critical step to ensure that subsequent malicious activities go undetected. The method used is notably exotic: it creates a tiny stub file (only about 1.5 KB) in the temporary directory named Proxifier<random>.tmp and runs it. This stub serves as a donor process—it does nothing on its own but becomes a vessel for code injection later on.

4. Code Injection via a .NET Application: api_updater.exe

A .NET application called api_updater.exe is then injected into the previously created stub process. This application holds the key to bypassing Windows Defender. It decrypts and executes a PowerShell script using the PSObject class, which allows the script to run directly inside the current process without launching a visible command console or invoking the PowerShell interpreter. This stealthy technique ensures that the exclusion commands remain hidden from the user and from standard monitoring tools. The PSObject method is particularly dangerous because it operates entirely in memory, leaving minimal forensic traces.

5. Simultaneous Legitimate Installation and Background Infection

After successfully adding the required exclusions, the trojanized proxifier.exe extracts and launches the real Proxifier installer. This is a clever misdirection: the user sees a legitimate installation process proceeding normally, while the real infection continues silently in the background. Meanwhile, the malware creates yet another donor process and injects a module named proxifierupdater.exe. This module acts as a secondary injector, ensuring that the infection persists even if one layer is disrupted. The user remains completely unaware that their system is being compromised.

6. Secondary Injection into conhost.exe

The injected proxifierupdater.exe now takes center stage. It launches the legitimate Windows system utility conhost.exe—the console host process—and injects it with another .NET application internally named bin.exe. By piggybacking on a trusted system process, the malware achieves a high degree of stealth. The bin.exe application then runs yet another PowerShell script, again using the PSObject class to execute in memory. This escalation of privilege through trusted processes makes detection extremely challenging for traditional antivirus solutions.

7. The Multi-Action PowerShell Script

The PowerShell script executed by bin.exe is heavily obfuscated and partially encoded, but its actions are remarkably straightforward. It performs four specific operations: first, it adds both powershell.exe and conhost.exe to Microsoft Defender exclusions, ensuring that further malicious scripts can run unhindered. Second, it creates a registry key at HKLM\SOFTWARE\System::Config and stores another Base64-encoded PowerShell script within it. Third, it establishes a scheduled task that launches PowerShell with a script argument. This scheduled task is designed to survive reboots and maintain persistence. Fourth, the script’s purpose is to read the content of the registry key, decode it, and transfer execution to the next stage of the payload.

8. Persistence via Scheduled Task and Registry

The scheduled task created in the previous step is a critical persistence mechanism. It ensures that even if the user reboots or logs off, the infection will continue. The scheduled task triggers PowerShell to run a script that reads the encoded payload from the registry key. The registry key itself (HKLM\SOFTWARE\System::Config) is a non-standard location, making it harder for system administrators to spot. This dual-layered persistence—combining a scheduled task with a registry-stored script—gives ClipBanker remarkable resilience. It can also be used to update the malicious code without requiring a new download, as the registry content can be modified remotely.

9. The Final Payload: Crypto Theft and Beyond

The encoded script stored in the registry ultimately decodes and executes the final payload—ClipBanker’s primary malicious module. This final stage is designed to steal cryptocurrency wallets, monitor clipboard content for crypto addresses, and replace them with attacker-controlled addresses. The long infection chain leading to this point ensures that the payload operates in a highly protected environment, free from antivirus interference. By the time the user realizes something is wrong, their cryptocurrency may already be gone. The attacker can also deploy additional modules for data exfiltration or remote access, depending on their objectives.

10. Lessons Learned: How to Protect Against Such Attacks

Understanding ClipBanker’s marathon infection chain highlights the importance of cautious online behavior. Always verify the authenticity of software downloads, especially from third-party GitHub repositories. Use official sources or trusted software distribution platforms. Keep your antivirus and endpoint detection tools updated, as modern solutions often include behavior-based detection that can spot unusual code injection and PowerShell abuse. Disable unnecessary PowerShell features if possible, and monitor for suspicious scheduled tasks. Finally, be skeptical of search results that offer paid software for free—activation keys and installers from unofficial sources are a common red flag. Awareness and proactive security measures are your best defense.

ClipBanker’s infection chain is a stark reminder that cyber threats are becoming increasingly sophisticated. What starts with a simple search can end with significant financial loss. By breaking down each step, we hope to empower users and security professionals alike to recognize and thwart such attacks before they succeed.