New lightweight, self-propagating crypto stealing malware delivered by USB spotted by Microsoft researchers – Crypto Clipper script-based stealer hunts for vulnerable wallets

News
By published

Microsoft details a newly discovered wormlike infostealer

Cryptocurrencies
Image credit: Pixabay/vjkombajn (Image credit: vjkombajn/Pixabay)
  • Microsoft warns of “Crypto Clipper,” a worm spreading via malicious .LNK files on USB drives
  • Malware maintains persistence, connects to Tor C2, enables remote code execution, and steals clipboard crypto data
  • It swaps wallet addresses, exfiltrates seed phrases/private keys, and uploads screenshots to assess target value

Microsoft is warning of an ongoing campaign targeting cryptocurrency owners with a clipboard-jacking worm.

In a new in-depth report published late last week, Microsoft’s security researchers explained that they recently analyzed a thumb drive that contained seemingly normal documents (Word files, Excel spreadsheets). However, the documents were replaced with Windows shortcut (.LNK) files which actually launched a piece of malware called Crypto Clipper.

This malware does a couple of things. First, it spreads by creating malicious .LNK files on USB drives and other removable media. It also sets up scheduled tasks to maintain persistence and automatically infect newly connected USB devices. Second, it behaves like a backdoor by regularly contacting a C2 server over the Tor network and receiving commands from the attacker. The server can also send commands to have the malware download and execute attacker-supplied code on the infected system, as well.

Latest Videos From

Stealing wallet data

Finally, Crypto Clipper acts as a clipboard clipper by monitoring the Windows clipboard for cryptocurrency wallet addresses, seed phrases, and private keys. If it spots a wallet address, it can replace it with a different one, owned by the attackers, so that any tokens sent by the victim go to the attacker, instead. It can also steal and exfiltrate copied seed phrases and private keys, which can be used to load a victim's crypto wallet on a separate device.

To help attackers assess the value of a target, the malware periodically captures screenshots of the victim's screen and uploads them through the Tor network.

“This malware family shows how lightweight, script-based stealers can deliver outsized impact when paired with anonymized communications and runtime tasking,” Microsoft said. “The combination of Tor-routed C2, clipboard targeting, screenshot capture, and remote code execution gives attackers both immediate monetization paths and continued control over compromised devices.”

Microsoft did not say if the malware targeted any specific countries or regions, nor did it discuss the number of victims.

Via Ars Technica

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.