Microsoft has revealed a new self-propagating malware called “Crypto Clipper,” capable of spreading through USB storage devices and stealing cryptocurrency wallet data, then sending it to servers controlled by attackers.
اضافة اعلان
According to the company, the malware monitors the clipboard on infected devices for cryptocurrency wallet addresses or recovery seed phrases typically consisting of 12 or 24 words. When such data is detected, the malware captures five screenshots within ten seconds and sends them along with the stolen information to attackers via the Tor network, which provides a high level of online anonymity.
A lightweight but dangerous backdoor
Microsoft explained that the malware does not rely on traditional installation methods or a command and control infrastructure based on direct internet addresses. Instead, it uses a portable version of the Tor browser and routes communications through a local SOCKS5 proxy server, making it more difficult to trace.
The company said this approach turns a financial theft tool into what resembles a “lightweight backdoor,” allowing attackers to remotely execute commands on infected devices in addition to stealing data.
Spread via USB devices
Microsoft observed the malware spreading through shortcut files with the “.LNK” extension on USB drives. When the drive is connected to a new device, the malware first checks whether it already exists on the system. If not, it downloads its components via the Tor network.
To better hide its presence, it creates shortcut files with names similar to legitimate files already stored on the infected USB drive, making it harder for users to detect.
Replacing wallet addresses
“Crypto Clipper” does not only steal wallet data; it also replaces copied cryptocurrency wallet addresses with those belonging to the attackers. This allows funds to be redirected to hackers’ wallets without the victim noticing.
Microsoft suggests that the captured screenshots may be used to provide additional context that helps attackers better understand or exploit the stolen data.
Indicators of infection
The company noted that Microsoft Defender detects the malware under the name “Trojan:Win32/CryptoBandits.A.” Key indicators of infection include suspicious script execution, use of local port 9050 associated with the Tor network, execution of screenshot-capturing commands, clipboard monitoring, and replacement of cryptocurrency addresses.
Microsoft warned that this class of malware demonstrates how small, script-based tools can cause significant damage when combined with anonymity and remote-control technologies.
AlGhad
