Trojanized Proxifier Distributes ClipBanker Malware via Multi‑Stage Injection Chain
What Happened – A malicious actor has been publishing a trojanized version of the legitimate Proxifier proxy tool on a public GitHub repository. The wrapper installs the real Proxifier while simultaneously deploying a chain of .NET‑based injectors that add Microsoft Defender exclusions, create hidden scheduled tasks, and drop the ClipBanker banking‑trojan onto the host.
Why It Matters for TPRM –
- Supply‑chain compromise of a widely‑used development‑tool can silently infect third‑party environments.
- The malware establishes persistent PowerShell execution that can harvest credentials and financial data.
- Detection is difficult because the initial payload masquerades as a trusted installer.
Who Is Affected – Software development firms, DevOps teams, and any organization that downloads or automates Proxifier installers from third‑party repositories (TECH_SAAS, ENDPOINT_SEC).
Recommended Actions –
- Block downloads of Proxifier installers from unofficial sources; enforce vendor‑approved download locations.
- Harden endpoint protection to prevent Defender exclusion bypasses and unsigned PowerShell injection.
- Audit existing systems for the presence of the described stub files, scheduled tasks, and registry keys.
Technical Notes – The infection chain starts with a tiny stub (Proxifier???tmp) that is injected with api_updater.exe, which runs a hidden PowerShell script via PSObject. Subsequent injectors (proxifierupdater.exe, bin.exe) add exclusions for powershell.exe and conhost.exe, write a Base64‑encoded PowerShell payload to HKLM\SOFTWARE\System::Config, and schedule it via a task that reads and decodes the registry entry. The final payload drops ClipBanker, a banking‑trojan capable of credential theft and transaction interception. Source: SecureList – ClipBanker Malware Distributed via Trojanized Proxifier