According to Microsoft’s cybersecurity researchers, a new and advanced theft campaign targeting cryptocurrency users has been detected. It was stated that this attack wave, called “CryptoBandits”, took the long-known “clipper” type malware to an advanced level.
How the attack works
Traditional clipper malware monitors crypto wallet addresses copied by the user to the clipboard and replaces them with addresses belonging to the attacker. According to Microsoft, CryptoBandits uses the same basic method, but has a more complex structure in the way it spreads and hides.
It was stated that the malware spread through infected USB sticks and was disguised as ordinary document files. It was noted that after reaching the target system, it scans common file types such as .doc, .pdf and .xlsx, hides these files and creates malicious .lnk shortcuts with the same names. It was reported that if the user double-clicks on these shortcuts, the infection is activated silently.
Mini dictionary: Clipper malware is a type of malware that monitors especially crypto wallet addresses copied by the user to the clipboard and replaces them with another address without being noticed. .lnk files, on the other hand, act as shortcuts in Windows and although they appear to be a legitimate document, they may run a different process in the background.
According to Microsoft researchers, the campaign uses Windows’ built-in scripting tools rather than relying on large, easily noticeable installation files; This makes detection difficult for security solutions that rely solely on file scanning.
Tor network and clipboard monitoring stand out
Researchers reported that once the malware was installed on the system, it installed a portable Tor client and routed internet traffic through a hidden proxy server. This structure is considered to help attackers hide their communications and make it difficult to trace activity.
It was stated that the software also checks the victim’s clipboard every half second. It was noted that not only wallet addresses but also recovery phrases known as seed phrases were targeted. It was reported that the detected contents could be replaced with similar-looking data belonging to the attacker.
Why is it more difficult to detect?
One of the notable aspects of this campaign was that it did not use large and suspicious installation packages. It was stated that since Windows’ built-in command and script tools are used instead, it has become more difficult for classical file-based antivirus scans to distinguish the threat.
For this reason, Microsoft emphasized that more caution should be exercised, especially regarding portable storage devices. It was recommended not to insert USB sticks of unknown origin into the computer, to re-check the copied wallet addresses before the transaction, and not to rely only on the information on the clipboard.
Security warning to users
Keeping security tools up to date is also critical, the researchers noted. It was stated that especially running protection software such as Microsoft Defender with the latest updates can provide additional defense against similar threats.
Manual verification of addresses in cryptocurrency transfers and not opening unknown files or shortcuts are among the first defense steps against such attacks. Latest findings reveal that malware spread via USB poses a serious risk for crypto asset holders again.
