The Complex Infection Journey of ClipBanker: A Step-by-Step Breakdown

ClipBanker is a notorious Trojan that relies on an unusually long and layered infection chain to steal cryptocurrency. The process starts with a seemingly innocent web search and ends with a persistent script that harvests crypto wallet credentials. Below, we break down this marathon infection into key questions to help you understand each stage.

1. How does the ClipBanker infection typically begin?

The infection kicks off when a user searches the web for “Proxifier” — a type of software that tunnels traffic for programs lacking native proxy support. Among the top search results, a link to a GitHub repository appears. That repository hosts source code for a simple proxy service, but the trap lies in the Releases section. There, an archive contains an executable file that is actually a malicious wrapper bundled around the legitimate Proxifier installer. A text file with activation keys is also included to make the package look convincing. Once the user downloads and runs that executable, the Trojan gains its first foothold on the system.

2. Why does ClipBanker specifically target searches for Proxifier?

Proxifier tools are commonly used in secure development environments to route traffic for applications that cannot use proxies natively. Because developers and IT professionals often seek these utilities, they become a perfect lure for attackers. The term “Proxifier” also matches the name of a popular paid software by VentoByte, which increases the likelihood that users will search for cracks or activation keys. By poisoning the search results with a GitHub project that mimics a legitimate proxy service, the attackers capitalize on the high demand for free or cracked proxies. The malicious package offers “free” activation keys, further lowering the victim’s guard.

3. What happens immediately after the trojanized executable is launched?

Once executed, the malicious wrapper first creates a tiny stub file (about 1.5 KB) in the temp directory, named something like Proxifier??? .tmp. This stub is initially inert and serves as a donor process. The Trojan then injects a .NET application called api_updater.exe into this stub. That .NET app uses the PSObject class to run a PowerShell script directly inside the current process — without launching a separate console or interpreter window. The script’s job is to add exclusions to Microsoft Defender for all .TMP files and for the directory containing the running executable. This action disables future detection of temporary files used in later stages.

4. How does ClipBanker maintain persistence after the initial infection?

After setting the Defender exclusions, the trojanized proxifier.exe extracts and launches the real Proxifier installer to distract the user. Simultaneously, the malware creates another donor process and injects a module named proxifierupdater.exe. This second injector launches the system utility conhost.exe and injects it with another .NET application called bin.exe. Using the same PSObject technique, bin.exe runs an obfuscated PowerShell script. That script performs four key actions: it adds both powershell.exe and conhost.exe to Defender exclusions, creates a registry key at HKLM\SOFTWARE\System::Config containing a Base64-encoded script, and sets up a scheduled task to launch PowerShell with a separate script that reads and executes the registry-stored payload.

5. What is the purpose of the scheduled task created by the Trojan?

The scheduled task is the final persistence mechanism. It triggers a PowerShell command that executes a script embedded as an argument. That script reads the content of the registry key created earlier (HKLM\SOFTWARE\System::Config), decodes the Base64 string, and then runs the decoded script. The decoded script is the actual payload — presumably designed to steal cryptocurrency wallet information from the victim’s machine. By storing the main payload in the registry and using a scheduled task to launch it, the attackers ensure that even if the initial dropper files are removed, the malicious code can still run at system boot or on a recurring schedule. This multi-layered approach makes cleanup particularly difficult.

6. Why does ClipBanker use such a long and complex infection chain?

The marathon infection chain serves several purposes. First, it evades detection by splitting malicious actions across multiple processes and using legitimate utilities (conhost.exe) as injection targets. Second, it bypasses security software by adding specific exclusions early in the chain, so subsequent temporary files and PowerShell scripts are not flagged. Third, the use of donor processes and in-memory script execution (PSObject) avoids writing suspicious files to disk, which traditional antivirus scanners look for. Finally, the staged approach gives the malware multiple chances to complete its mission — even if one step fails, another may succeed. It’s a textbook example of defense evasion and persistence combined.

7. What are the four specific actions performed by the final obfuscated PowerShell script?

The final script, delivered via the injection into conhost.exe, executes exactly four actions: (1) It adds both powershell.exe and conhost.exe to the Microsoft Defender exclusion list, ensuring that all future PowerShell activity on the host is trusted. (2) It creates a registry key at HKLM\SOFTWARE\System::Config and stores a Base64-encoded PowerShell script inside that key. (3) It sets up a scheduled task that launches PowerShell with another script as an argument. That second script is designed to read the content of the registry key, decode it, and pass control to the decoded payload. (4) It executes the scheduled task to activate the persistence chain. Note that all strings are obfuscated and partially encoded to hinder analysis.