Key facts
- Microsoft has identified a new malware called Crypto Clipper.
- The malware spreads via USB drives and targets cryptocurrency credentials.
- It monitors clipboards for wallet addresses and seed phrases, capturing screenshots.
- Crypto Clipper uses Tor for anonymous communication and a SOCKS5 proxy.
- The malware replaces wallet addresses to divert payments to attackers.
- It can also execute remote code, functioning as a lightweight backdoor.
Microsoft has announced the discovery of a new malware strain, named Crypto Clipper, which operates as a self-propagating worm. This malware spreads primarily through USB drives, leveraging .lnk files to execute its payload. Once active on a system, Crypto Clipper monitors the device's clipboard for patterns indicative of cryptocurrency wallet addresses or seed phrases. Upon detection, it captures a series of five screenshots within a 10-second window to gather contextual information. The stolen credentials and screenshots are then transmitted to attacker-controlled servers using the Tor network for anonymity, facilitated by a local SOCKS5 proxy. The malware also actively replaces detected cryptocurrency addresses with those belonging to the attackers, enabling direct theft of funds. Microsoft highlighted that Crypto Clipper's lightweight, script-based nature, combined with anonymized communication and remote code execution capabilities, makes it a potent threat. Microsoft Defender identifies the malware as Suspicious JavaScript processes, Possible data exfiltrations using Curl, or Trojan: Win32/CryptoBandits.A.