Microsoft Discovers Cryptocurrency Stealer That Spreads Through USB Drives and Uses Tor (arstechnica.com) 12
Ars Technica's senior security editor reports:
Microsoft says it has detected new self-propagating malware that spreads through USB drives in search of cryptocurrency credentials, which it then sends to attacker-controlled servers.
The company named the worm Crypto Clipper because it monitors the contents of device clipboards for patterns consistent with wallet addresses or seed phrases. When found, the malware also takes five screenshots over a 10-second period... "The execution of this clipper is notable because it does not depend on a traditional installer or exposed IP-based C2 infrastructure," Microsoft said Thursday. "Instead, it deploys a portable Tor client, routes traffic through a local SOCKS5 proxy, and blends data theft with remote code execution, turning a financially motivated stealer into a lightweight backdoor."
Microsoft said it observed Crypto Clipper spreading through .lnk file on a USB drive. These files store executable code. When an infected USB drive is plugged into a device, the code checks whether it is already installed on the machine. If it isn't, the malware downloads it through the Tor proxy. To better conceal evidence of the worm, the malware scans the infected USB drive and names the .lnk files with similar names... The stealer also replaces addresses it finds with ones belonging to attacker-controlled wallets. This allows the malware to divert payments to the attacker's pockets. Microsoft believes the purpose of the screenshots is to provide context that may be useful. "This malware family shows how lightweight, script-based stealers can deliver outsized impact when paired with anonymized communications and runtime tasking," Microsoft said. "The combination of Tor-routed C2, clipboard targeting, screenshot capture, and remote code execution gives attackers both immediate monetization paths and continued control over compromised devices."
Thanks to Slashdot reader joshuark for sharing the news.
The company named the worm Crypto Clipper because it monitors the contents of device clipboards for patterns consistent with wallet addresses or seed phrases. When found, the malware also takes five screenshots over a 10-second period... "The execution of this clipper is notable because it does not depend on a traditional installer or exposed IP-based C2 infrastructure," Microsoft said Thursday. "Instead, it deploys a portable Tor client, routes traffic through a local SOCKS5 proxy, and blends data theft with remote code execution, turning a financially motivated stealer into a lightweight backdoor."
Microsoft said it observed Crypto Clipper spreading through .lnk file on a USB drive. These files store executable code. When an infected USB drive is plugged into a device, the code checks whether it is already installed on the machine. If it isn't, the malware downloads it through the Tor proxy. To better conceal evidence of the worm, the malware scans the infected USB drive and names the .lnk files with similar names... The stealer also replaces addresses it finds with ones belonging to attacker-controlled wallets. This allows the malware to divert payments to the attacker's pockets. Microsoft believes the purpose of the screenshots is to provide context that may be useful. "This malware family shows how lightweight, script-based stealers can deliver outsized impact when paired with anonymized communications and runtime tasking," Microsoft said. "The combination of Tor-routed C2, clipboard targeting, screenshot capture, and remote code execution gives attackers both immediate monetization paths and continued control over compromised devices."
Thanks to Slashdot reader joshuark for sharing the news.
Bright idea, that... (Score:3)
To run whatever code you find on a USB drive.
Re: (Score:3)
The worm scans the drive for a folder, creates an .lnk file with the same name and an icon that makes it look like a folder and renames the original folder to something else. The .lnk links to powershell with the payload passed as a command line argument. It's not that easy to spot that something is off, especially since Windows hides extensions by default.
Re: (Score:2)
especially since Windows hides extensions by default.
Which every user should switch off the first time he uses the computer.
No idea who had that braindead idea, he should be chained in a dungeon with mold dry bread and muddy water.
Re: (Score:2)
Re: (Score:1)
Yes, and on top of that: do not execute anything that comes from external sources. Like on a Mac.
Microfots never grows up (Score:2)
Re: Microfots never grows up (Score:2)
And they still insists on hiding the filename extensions even though that is a great way to hide malicious code.
Re: (Score:2)
Yes. One of the first things I change when installing Windows. Although I am not sure I will do that again, ever. Maybe in a VM.
Re: (Score:2)
Not true. New ones get added to the mix whenever MS makes Yet Another Really Stupid Decision.
I don't know (Score:1)
But I get the distinct impression that Microslop has only just worked this one out, even though this has been the case ever since they included 'autorun.inf' as a 'feature' with Windows 95.
Great job MS! Keeping storage media worms alive! (Score:2)
These things are as old as the first computers with floppies or other removable media. Without the determined efforts by Microsoft they would have died out by now. So big kudos to them for keeping that part of ancient computing history alive!
In other news, IT Security people have no problems at all finding jobs, while coders really struggle.