Microsoft says it has detected new self-propagating malware that spreads via USB drives in search of cryptocurrency credentials, which it sends to attacker-controlled servers.
The company named the worm Crypto Clipper because it monitors the contents of device clipboards for patterns corresponding to wallet addresses or seed phrases. When found, the malware also takes five screenshots in a 10-second period. Both the credentials and the screenshot are sent to the attacker via Tor, a network protocol that provides anonymous routing by sending traffic through redundant nodes so that logs cannot capture both sending and receiving IP addresses. Crypto Clipper establishes a Tor connection using a SOCKS5 proxy, a network protocol that sends traffic through a proxy server, which then forwards it to its final destination.
a light back door
“The performance of this Clipper is remarkable because it does not rely on traditional installers or exposed IP-based C2 infrastructure,” Microsoft said Thursday. “Instead, it deploys a portable Tor client, routes traffic through a local SOCKS5 proxy, and blends data theft with remote code execution, turning it into a lightweight backdoor for financially motivated thieves.”
Microsoft said it discovered CryptoClipper spreading via a .lnk file on a USB drive. These files store executable code. When an infected USB drive is plugged into a device, the code checks whether it is already installed on the machine. If it is not, the malware downloads it through the Tor proxy. To better hide evidence of the worm, the malware scans infected USB drives and renames .lnk files with similar names.
<a href