New USB-Spreading Malware Targets Cryptocurrency Wallets
Microsoft has identified a sophisticated malware campaign that specifically targets crypto wallets and spreads through infected USB drives. The malicious software, dubbed "crypto clipper" and classified as Trojan:Win32/CryptoBandits, has been actively compromising Windows systems since February 2024.
The attack begins when users insert an infected USB drive containing malicious shortcut files with .lnk extensions. These seemingly harmless files trick users into unknowingly installing a worm that immediately begins harvesting sensitive cryptocurrency information from their computers.
How the Malware Operates
Once installed, the malware operates on multiple fronts to maximize its effectiveness. The software continuously monitors Windows' clipboard memory every 500 milliseconds, scanning for copied seed phrases, private keys, and wallet addresses associated with popular cryptocurrencies like Bitcoin and Ethereum.
"When a user copies a recipient address to send funds, the worm silently replaces it with an attacker-controlled address before the user pastes, so the transfer goes to the attacker without any visible cue."
The stolen data is transmitted to cybercriminals through the Tor network, ensuring anonymous communication. Additionally, the malware captures five screenshots at ten-second intervals, providing attackers with visual confirmation of wallet activities and potentially revealing additional sensitive information.
Self-Propagating USB Infection
What makes this malware particularly dangerous is its ability to spread autonomously. When users connect clean USB drives to infected computers, the worm scans for common file types including Word documents, Excel spreadsheets, and PDFs. It then replaces these legitimate files with identically named shortcut files, effectively turning every USB drive into a potential infection vector.
This propagation method creates a chain reaction where infected USB drives can compromise multiple systems across different networks, making containment extremely challenging for organizations and individual users alike.
Microsoft's Security Recommendations
To combat this growing threat, Microsoft has issued several critical security recommendations for Windows users. The company advises disabling AutoRun functionality for removable media, which prevents automatic execution of files when USB drives are connected.
System administrators should implement group policies to block .lnk file execution on USB drives and restrict access to script hosts such as wscript.exe and cscript.exe. Microsoft Defender users can utilize specialized hunting queries to detect suspicious activity, particularly connections to local Tor proxies operating on port 9050.
The tech giant has also published a comprehensive list of indicators of compromise, including file hashes and .onion domain addresses used as command-and-control servers. Security teams can use these indicators to scan their networks for potential infections and take appropriate remediation measures.
This malware campaign highlights the evolving sophistication of cryptocurrency-focused cyberattacks. As digital assets become increasingly mainstream, cybercriminals continue developing new methods to exploit users' crypto wallets and steal valuable holdings. Users must remain vigilant about USB drive security and implement robust protective measures to safeguard their digital assets.
