- Microsoft warns about “Crypto Clipper,” a worm that spreads via malicious .LNK files on USB drives
- Malware maintains persistence, connects to Tor C2, allows remote code execution, and steals cryptographic data from clipboard
- Exchange wallet addresses, extract seed phrases/private keys, and upload screenshots to evaluate target value.
Microsoft warns of an ongoing campaign targeting cryptocurrency owners with a clipboard-hijacking worm.
In a new in-depth report published late last week, Microsoft security researchers explained that they recently analyzed a USB stick containing seemingly normal documents (Word files, Excel spreadsheets). However, the documents were replaced by Windows Shortcut (.LNK) files that actually launched a malware called Crypto Clipper.
This malware does a couple of things. Firstly, it spreads by creating malicious .LNK files on USB drives and other removable media. It also configures scheduled tasks to maintain persistence and automatically infect newly connected USB devices. Second, it behaves as a backdoor by periodically contacting a C2 server over the Tor network and receiving commands from the attacker. The server can also send commands for the malware to download and execute code provided by the attacker on the infected system.
Steal wallet data
Finally, Crypto Clipper acts as a clipper by monitoring the Windows clipboard for cryptocurrency wallet addresses, seed phrases, and private keys. If it detects a wallet address, it can replace it with a different one, owned by the attackers, so that any token sent by the victim goes to the attacker. It can also steal and exfiltrate copied seed phrases and private keys, which can be used to load the victim’s crypto wallet onto a separate device.
To help attackers assess the value of a target, the malware periodically captures screenshots of the victim’s screen and uploads them over the Tor network.
“This malware family shows how lightweight script-based stealers can pack a huge punch when combined with anonymous communications and runtime tasks,” Microsoft said. “The combination of Tor-routed C2, clipboard targeting, screenshot, and remote code execution gives attackers immediate monetization paths and continued control over compromised devices.”
Microsoft did not say whether the malware targeted specific countries or regions, nor did it mention the number of victims.
Through Ars Technique
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
