Microsoft has recently identified a sophisticated new malware threat targeting cryptocurrency users. Dubbed “Crypto Clipper,” this self-propagating worm spreads through USB drives and seeks out cryptocurrency credentials, which it then transmits to attackers’ servers.
The Crypto Clipper is engineered to monitor device clipboards for patterns that resemble wallet addresses or seed phrases. Upon detection, the malware captures five screenshots over a 10-second span. These credentials and screenshots are subsequently relayed to attackers using the Tor network, known for its ability to anonymize internet traffic by routing it through multiple nodes, making it difficult to trace both the source and destination IP addresses. The connection to Tor is established via a SOCKS5 proxy, a protocol that facilitates traffic redirection through a proxy server towards its ultimate endpoint.
A Lightweight Backdoor
Microsoft’s analysis highlights the unique execution of this clipper. Unlike traditional malware, Crypto Clipper does not rely on a conventional installer or exposed IP-based command-and-control (C2) infrastructure. Instead, it deploys a portable Tor client, routing traffic through a local SOCKS5 proxy. This dual-purpose functionality—data theft coupled with remote code execution—transforms a financially motivated cyber threat into a lightweight backdoor.
Observations indicate that Crypto Clipper disseminates through an .lnk file on USB drives. These shortcut files contain executable code that activates when an infected USB is connected to a device. If the malware is not already present on the host machine, it downloads itself via the Tor proxy. To further obscure its presence, the malware scans the infected USB drive and renames the .lnk files with similar-sounding names.
This latest development underscores the ongoing evolution of malware tactics, particularly those targeting the burgeoning cryptocurrency sector. Users are advised to exercise caution with USB drives and to employ robust security measures to protect their digital assets.
For more detailed information, please visit the source article Here.
“`
