Microsoft announced that it has detected a new malware that has been spreading via USB sticks since February and targeting the crypto asset wallets of people using Windows. While the company defined this threat as “crypto clipper”, it stated that the malware was tracked under the name Trojan:Win32/CryptoBandits in Microsoft Defender Antivirus.
How does malware work?
The attack starts with a malicious .lnk shortcut file on an infected USB drive. In Windows, these files are normally used to open a program, folder or file. However, when the user clicks on this shortcut, a worm-type malware is installed on the computer.
Once installed, the software executes two processes simultaneously. On the one hand, it constantly runs the actual code to collect data from crypto wallets, on the other hand, it waits for a clean USB device to be inserted into the same computer. Thus, it is not limited to a single system but can be spread across different portable devices.
According to Microsoft, the malware monitors clipboard data at regular intervals; It collects information such as seed phrase, private key and recipient address, and then transmits them to attackers over the Tor network. When the user copies an address for the transfer, this address can be replaced with the wallet address controlled by the attacker without being noticed.
What data does it target?
According to information provided by Microsoft, the malware checks the Windows clipboard approximately every 500 milliseconds. If the user copies the seed phrase or private key of wallets such as Bitcoin or Ethereum, this data is captured. It was also stated that the software took a total of five screenshots at 10-second intervals and sent them outside.
One of the most critical risks here is the silent change of transfer addresses. When the user copies a recipient address to send funds, the malware can replace this address with another address belonging to the attacker before the pasting stage. Since this change occurs without any visible warning, it becomes possible for the transaction to go to the wrong address.
Mini dictionary: Tor network is known as an open source structure that makes communication more confidential by routing internet traffic through different servers. It can also be used to hide command and control traffic from time to time during cyber attacks.
Propagation method via USB
The spreading mechanism of the malware also attracts attention. When a clean USB drive is inserted into the computer, the software scans regular files such as Word, Excel and PDF on this device. Then, it replaces these files with new shortcut files with the same names and infects the USB drive.
This method can lead users to think that files remain seemingly the same. Thus, the infection cycle continues by moving to new computers.
Microsoft’s security recommendations
Microsoft recommended turning off AutoRun for removable media, preventing .lnk files from running on USB drives via group policies, and limiting script runners such as wscript.exe and cscript.exe. The company also required security teams to scan its networks based on published indicators of compromise.
According to the statement, these indicators include file hashes and .onion domain names that are stated to be used on command and control servers. It was stated that customers using Microsoft Defender can query related activities, including connections made to the local Tor proxy server over port 9050.
