- Microsoft Warns About “Crypto Clipper,” A Worm That Spreads Via Malicious .LNK Files On USB Drives
- Malware maintains persistence, connects to Tor C2, enables remote code execution and steals encryption data from clipboard
- It swaps wallet addresses, exfiltrates seed phrases/private keys and uploads screenshots to assess the target value
Microsoft is warning of an ongoing campaign targeting cryptocurrency owners with a clipboard-jacking worm.
In a new in-depth report published at the end of last week, Microsoft security researchers explained that they recently analyzed a thumb drive that contained seemingly normal documents (Word files, Excel spreadsheets). However, the documents were replaced with Windows shortcut files (.LNK), which actually launched a piece of malware called Crypto Clipper.
This malware does a few things. First, it spreads by creating malicious .LNK files on USB drives and other removable media. It also sets up scheduled tasks to maintain persistence and automatically infect newly connected USB devices. Second, it acts as a backdoor by regularly contacting a C2 server over the Tor network and receiving commands from the attacker. The server can also send commands to cause the malware to download and execute hacker-supplied code on the infected system.
Steal wallet data
Finally, Crypto Clipper acts as a clipboard by monitoring the Windows clipboard for cryptocurrency wallet addresses, seed phrases, and private keys. If it detects a wallet address, it can replace it with another owned by the attackers, so that any tokens sent by the victim go to the attacker instead. It can also steal and exfiltrate copied seed phrases and private keys, which can be used to load a victim’s crypto wallet onto a separate device.
To help attackers assess the value of a target, the malware periodically captures screenshots of the victim’s screen and uploads them through the Tor network.
“This malware family demonstrates how lightweight, script-based exploits can deliver pervasive effects when paired with anonymized communications and runtime tasking,” Microsoft said. “The combination of the Tor route C2, clipboard targeting, screenshot capture and remote code execution gives attackers both immediate revenue streams and continued control over compromised devices.”
Microsoft did not say whether the malware targeted specific countries or regions, nor did it discuss the number of victims.
Via Ars Technica
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
