Forgot your password?
typodupeerror
Security Microsoft The Almighty Buck

Microsoft Discovers Cryptocurrency Stealer That Spreads Through USB Drives and Uses Tor (arstechnica.com) 12

Ars Technica's senior security editor reports: Microsoft says it has detected new self-propagating malware that spreads through USB drives in search of cryptocurrency credentials, which it then sends to attacker-controlled servers.

The company named the worm Crypto Clipper because it monitors the contents of device clipboards for patterns consistent with wallet addresses or seed phrases. When found, the malware also takes five screenshots over a 10-second period... "The execution of this clipper is notable because it does not depend on a traditional installer or exposed IP-based C2 infrastructure," Microsoft said Thursday. "Instead, it deploys a portable Tor client, routes traffic through a local SOCKS5 proxy, and blends data theft with remote code execution, turning a financially motivated stealer into a lightweight backdoor."

Microsoft said it observed Crypto Clipper spreading through .lnk file on a USB drive. These files store executable code. When an infected USB drive is plugged into a device, the code checks whether it is already installed on the machine. If it isn't, the malware downloads it through the Tor proxy. To better conceal evidence of the worm, the malware scans the infected USB drive and names the .lnk files with similar names... The stealer also replaces addresses it finds with ones belonging to attacker-controlled wallets. This allows the malware to divert payments to the attacker's pockets. Microsoft believes the purpose of the screenshots is to provide context that may be useful. "This malware family shows how lightweight, script-based stealers can deliver outsized impact when paired with anonymized communications and runtime tasking," Microsoft said. "The combination of Tor-routed C2, clipboard targeting, screenshot capture, and remote code execution gives attackers both immediate monetization paths and continued control over compromised devices."

Thanks to Slashdot reader joshuark for sharing the news.

Microsoft Discovers Cryptocurrency Stealer That Spreads Through USB Drives and Uses Tor

Comments Filter:
  • by jddj ( 1085169 ) on Saturday June 20, 2026 @11:45AM (#66201722) Journal

    To run whatever code you find on a USB drive.

    • by Hentes ( 2461350 )

      The worm scans the drive for a folder, creates an .lnk file with the same name and an icon that makes it look like a folder and renames the original folder to something else. The .lnk links to powershell with the payload passed as a command line argument. It's not that easy to spot that something is off, especially since Windows hides extensions by default.

      • especially since Windows hides extensions by default.
        Which every user should switch off the first time he uses the computer.

        No idea who had that braindead idea, he should be chained in a dungeon with mold dry bread and muddy water.

        • by bn-7bc ( 909819 )
          Meybe, just meabe windows should stop blindly executing stuf on the basis of file executions and so,it like most orher (sane oses ) have an execute bit in the the properties, but yea not hiding exstensions by default would be a good step, but we're takling about Microslop here so the chances of sane degaults are rether close to zero
  • It's always the same faults, over and over and over and over again.
  • by Anonymous Coward

    But I get the distinct impression that Microslop has only just worked this one out, even though this has been the case ever since they included 'autorun.inf' as a 'feature' with Windows 95.

  • These things are as old as the first computers with floppies or other removable media. Without the determined efforts by Microsoft they would have died out by now. So big kudos to them for keeping that part of ancient computing history alive!

    In other news, IT Security people have no problems at all finding jobs, while coders really struggle.

All the evidence concerning the universe has not yet been collected, so there's still hope.

Working...