Microsoft has identified malware that takes control of cryptocurrency wallets and propagates through USB drives. This software intercepts shortcut files and prompts the installation of a worm that collects private keys from the Windows clipboard and substitutes its own wallet addresses during a transfer.

— This malware, referred to as a “crypto clipper,” has been targeting Windows users’ cryptocurrency wallets through infected USB drives since February, as reported by Microsoft.

— After being installed via a malicious .lnk shortcut file, the worm known as Trojan:Win32/CryptoBandits keeps an eye on the clipboard for seed phrases, private keys, and recipient addresses, exfiltrating data over the Tor network while silently replacing them with addresses controlled by the attacker.

— The malware spreads by substituting files on clean USB drives with shortcuts that have identical names.

— Microsoft has advised users to disable AutoRun, prevent .lnk file execution on USB media, limit script hosts, and verify their networks against known indicators of compromise.

According to Microsoft, this malware that spreads via USB drives has been infecting Windows PCs and targeting cryptocurrency wallets since February. The company designates the malware as a «crypto clipper,» and its Defender Antivirus recognizes it as Trojan:Win32/CryptoBandits.

The attack begins with a USB drive infected with a malicious shortcut file. In Windows, these shortcut filenames conclude with «.lnk» and instruct the operating system to open a specific application, folder, or file located elsewhere on the computer.

When a user connects the drive and activates the shortcut, a type of malware known as a «worm» gets installed on the PC. Once this occurs, it continuously runs the actual code designed to steal cryptocurrency wallets while simultaneously waiting for a new, clean USB drive to be inserted into the same PC.

The wallet-stealing mechanism monitors the clipboard in Windows, which is the hidden temporary memory used for copy-and-paste actions, approximately every 500 milliseconds. When a user copies a seed phrase for a cryptocurrency wallet or a private key for a Bitcoin or Ethereum wallet, the malware captures this information and transmits it to the attacker’s server through the Tor network, which is an open-source overlay providing anonymous communication. It also captures five screenshots spaced ten seconds apart and sends those as well.

The threat doesn’t stop there. If a user copies a recipient address to send funds, the worm discreetly replaces it with an address controlled by the attacker before the user pastes it, redirecting the transfer to the attacker without any visible signs.

Finally, the worm spreads when a clean USB drive is connected to the computer. It scans the clean USB drive for regular files, such as Word documents, Excel spreadsheets, and PDFs, replacing them with new shortcut files using the same names, thus infecting the drive. This cycle continues.

Microsoft advises disabling AutoRun for removable media, blocking .lnk file execution on USB drives through group policy, and restricting script hosts like wscript.exe and cscript.exe. Customers using Microsoft Defender can also run hunting queries to monitor for related activities, including connections to a local Tor proxy on port 9050.

Microsoft has released a list of indicators of compromise, including file hashes and .onion domains utilized as command-and-control servers, for security teams to audit their networks against.