Crypto Threat: Malware Spreads via USB, Monitors Clipboard, and Steals Money
Microsoft has detected a new cyber threat dubbed "Crypto Clipper", an auto-propagating malware that spreads through USB drives and aims to steal cryptocurrency credentials. The malicious operation, active at least since February, is noted for its "lightweight" nature and use of the Tor network to conceal communications with the attackers' servers, making tracking difficult.
The infection process begins when the victim inserts an infected USB drive. The malware exploits shortcut files (.lnk) to hide its presence, replacing original files with malicious shortcuts that bear the same name. Upon the first launch of one of these shortcuts, Crypto Clipper installs itself and checks for other USB storage devices. Once a new drive is detected, the worm autonomously copies itself, replicating the malicious .lnk files and establishing a scheduled task to monitor future connections.
The Logic Behind the Theft: Clipboard, Screenshots, and Anonymous Communication
The operational core of Crypto Clipper, as explained by Microsoft, lies in its ability to monitor the device's clipboard. The malware scans the clipboard's content for patterns leading to cryptocurrency wallet addresses or recovery seed phrases. Among the sought-after data are BIP39 seed phrases of 12 or 24 words, Ethereum private keys, Bitcoin WIF keys, and Bitcoin addresses of various types (legacy, P2SH, Bech32, Taproot), as well as Tron and Monero addresses.
When it detects a match, the malware replaces the legitimate address copied by the victim with one controlled by the attackers. The choice of the destination address is dictated by a strategy: it is selected to partially resemble the original, reducing the likelihood that the user will notice the fraud at a quick glance. Complementing this action, Crypto Clipper also captures five screenshots of the victim's screen within ten seconds, providing attackers with high-profile visual context.
Microsoft has highlighted how the execution of Crypto Clipper is remarkable for its autonomy. The malware does not rely on a traditional installer or on IP-exposed Command and Control (C2) infrastructures. Instead, it distributes a portable Tor client (often identified as ugate.exe) and routes traffic through a local SOCKS5 proxy. This mechanism ensures the anonymity of communications, sending stolen credentials and screenshots to the malicious servers without leaving obvious traces.
This integration of data theft with remote code execution capabilities transforms the simple "clipper" into a "lightweight" backdoor. Attackers can indeed download JavaScript content into a file named cfile and execute it on the infected machine via an EVAL command coming from the C2 server, further expanding control over the compromised machine. The theft component is triggered only after verifying that Task Manager is not running, an additional tactic to evade detection.
Microsoft researchers suggest that the strongest indicators of a Crypto Clipper infection are behavioral rather than based on specific signatures. It is crucial to monitor unusual activities of processes like wscript.exe and cscript.exe, alongside unexpected launches of curl, PowerShell, and cmd.exe, accompanied by anomalous child processes. Additional warning signs include connections to localhost:9050 and any activity related to Tor proxies, indicating the presence and operability of the malware.