- 71
- 8
Microsoft experts have warned of a new malware campaign targeting cryptocurrency owners. The malware spreads via USB drives, automatically copies itself to new devices, and replaces crypto wallet addresses directly in the clipboard.
The attack scheme may seem outdated, but it's effective. It all begins with an infected flash drive containing a malicious LNK file—a regular Windows shortcut. Once the user opens it, additional components are downloaded to the device via the Tor network.
After infection, the malware scans the computer for documents. It hides the files it finds and creates shortcuts of the same name in their place. The user thinks they're opening a familiar document, but in reality, they're launching the next stage of the infection.
If a new flash drive is connected to the computer, the worm automatically copies itself to it. This way, the malware spreads further without the attackers' involvement. The campaign's primary target is cryptocurrency. Every half second, the program checks the clipboard contents and searches for crypto wallet addresses, private keys, and seed phrases. Bitcoin, Ethereum, Tron, Monero, and other popular cryptocurrencies are targeted. As soon as a user copies a transfer address, the malware silently replaces it with the attackers' wallet address. The fake address is chosen to closely resemble the original. Many users may not even notice the substitution. But the malware's capabilities don't stop there. It also takes screenshots every ten seconds and sends them via Tor to the command and control server. Furthermore, operators can remotely download and run additional code on the infected system. According to Microsoft, the most reliable signs of infection are suspicious activity in the wscript.exe and cscript.exe processes, unexpected launches of PowerShell, cmd.exe, and curl, and access to the local Tor port—localhost:9050. In fact, this isn't just a cryptocurrency-theft clipper, but a fully-fledged worm with espionage and remote control capabilities. And while users were previously advised to carefully check wallet addresses before making a transfer, this recommendation is now even more relevant. @ Anti-Malware
The attack scheme may seem outdated, but it's effective. It all begins with an infected flash drive containing a malicious LNK file—a regular Windows shortcut. Once the user opens it, additional components are downloaded to the device via the Tor network.
After infection, the malware scans the computer for documents. It hides the files it finds and creates shortcuts of the same name in their place. The user thinks they're opening a familiar document, but in reality, they're launching the next stage of the infection.
If a new flash drive is connected to the computer, the worm automatically copies itself to it. This way, the malware spreads further without the attackers' involvement. The campaign's primary target is cryptocurrency. Every half second, the program checks the clipboard contents and searches for crypto wallet addresses, private keys, and seed phrases. Bitcoin, Ethereum, Tron, Monero, and other popular cryptocurrencies are targeted. As soon as a user copies a transfer address, the malware silently replaces it with the attackers' wallet address. The fake address is chosen to closely resemble the original. Many users may not even notice the substitution. But the malware's capabilities don't stop there. It also takes screenshots every ten seconds and sends them via Tor to the command and control server. Furthermore, operators can remotely download and run additional code on the infected system. According to Microsoft, the most reliable signs of infection are suspicious activity in the wscript.exe and cscript.exe processes, unexpected launches of PowerShell, cmd.exe, and curl, and access to the local Tor port—localhost:9050. In fact, this isn't just a cryptocurrency-theft clipper, but a fully-fledged worm with espionage and remote control capabilities. And while users were previously advised to carefully check wallet addresses before making a transfer, this recommendation is now even more relevant. @ Anti-Malware