Microsoft has issued a warning regarding a malware strain, identified as Trojan:Win32/CryptoBandits, which has been targeting cryptocurrency wallets on Windows systems since February. This malware, referred to as a “crypto clipper,” spreads primarily through infected USB drives.
The infection process begins when a user connects a USB drive containing a malicious shortcut file, known as a .lnk file. When executed, this file installs the worm onto the user’s computer. Once active, the malware continuously monitors the clipboard for sensitive information, including cryptocurrency wallet seed phrases and private keys.
According to Microsoft, the malware captures this data and transmits it to the attacker’s server via the Tor network, which facilitates anonymous communication. Additionally, the worm can replace recipient wallet addresses with those controlled by the attacker, redirecting funds without the user’s knowledge.
The malware’s propagation mechanism involves scanning for clean USB drives connected to the infected PC. It replaces ordinary files such as Word documents and PDFs with similarly named shortcut files, effectively spreading the infection to other devices.
To mitigate the risks associated with this malware, Microsoft recommends several security measures. Users should disable AutoRun for removable media and block the execution of .lnk files on USB drives through group policy settings. It is also advisable to restrict the use of script hosts like wscript.exe and cscript.exe.
For users of Microsoft Defender, the company has provided guidance on running hunting queries to detect related activities, including connections to local Tor proxies. Furthermore, Microsoft has published a list of indicators of compromise, which includes file hashes and .onion domains used by the malware’s command-and-control servers, to assist security teams in monitoring their networks.
Microsoft has alerted users to a malware strain that spreads via USB drives and targets cryptocurrency wallets on Windows systems. The malware captures sensitive information and redirects transactions, posing significant risks to users' digital assets.