The wallet skimming component monitors the Windows clipboard, the hidden temporary memory used for copy and paste operations, approximately every 500 milliseconds. When a user copies a crypto wallet seed phrase or a private key to a Bitcoin or Ethereum wallet, the malware captures that data and sends it to the attacker’s server over the Tor network, an open source overlay that provides anonymous communication. It also takes five screenshots, ten seconds apart, and sends those as well.
The risk does not end there.
If a user copies a recipient’s address to send funds, the worm silently replaces it with an address controlled by the attacker before the user pastes it, so the transfer reaches the attacker without any visible signal.
Lastly, the worm spreads when a clean USB drive is connected to the computer. It scans the clean USB drive for regular files, Word documents, Excel sheets and PDFs, replaces them with new shortcut files with the same names and infects the drive. Then the cycle continues.
Microsoft recommends disabling autorun for removable media, blocking .lnk files from running on USB drives using group policy, and restricting hosts for scripts such as wscript.exe and cscript.exe. Microsoft Defender clients can also run search queries to check for related activity, including connections to a local Tor proxy on port 9050.
