A campaign targeting cryptocurrency users distributes clipboard-stealing malware via LNK shortcut files on USB drives, active since at least February, with communication concealed through the Tor network. Infection occurs when victims open the malicious shortcut, triggering the malware which then hides legitimate document files and replaces them with identical-looking shortcuts, causing execution whenever users attempt to access their documents. The worm establishes a scheduled task monitoring for newly connected USB devices, copying itself and generating additional malicious shortcuts automatically.
The stealer component checks clipboard content every half second for BIP39 seed phrases, Ethereum and Bitcoin private keys, and various cryptocurrency wallet addresses, replacing them with attacker-controlled wallet addresses. The malware also captures screenshots every ten seconds and exfiltrates them alongside stolen data to command-and-control infrastructure over Tor, and supports remote code execution via downloaded JavaScript payloads. Microsoft researchers note detection relies on behavioral indicators rather than signatures, including unexpected wscript.exe, cscript.exe, curl, PowerShell, and cmd.exe activity, as well as connections to localhost port 9050 indicating Tor proxy usage. The campaign represents a persistent threat to cryptocurrency holders through physical media propagation and stealthy clipboard manipulation techniques.
Read more...