Microsoft says it has detected a new self-propagating malware that spreads through USB drives in search of cryptocurrency credentials, which it then sends to servers controlled by attackers.
The company named the worm Crypto Clipper because it monitors the contents of devices’ clipboards for patterns consistent with wallet addresses or seed phrases. When found, the malware also takes five screenshots in a 10-second period. Both credentials and screenshots are then sent to the attacker via Tor, a networking protocol that provides anonymous routing by sending traffic through redundant nodes so that logs cannot capture sending and receiving IP addresses. Crypto Clipper establishes the Tor connection using a SOCKS5 proxy, a network protocol that sends traffic through a proxy server, which then forwards it to its final destination.
A light tailgate
“Running this clipper is notable because it does not rely on a traditional installer or exposed IP-based C2 infrastructure,” Microsoft saying Thursday. “Instead, it deploys a portable Tor client, routes traffic through a local SOCKS5 proxy, and combines data theft with remote code execution, turning a financially motivated thief into a lightweight backdoor.”
Microsoft said it observed Crypto Clipper spreading .lnk file on a USB drive. These files store executable code. When an infected USB drive is connected to a device, the code checks to see if it is already installed on the machine. If not, the malware downloads it through the Tor proxy. To better hide evidence of the worm, the malware scans the infected USB drive and names the .lnk files with similar names.
