Microsoft has sounded the alarm on a freshly discovered malware strain paving its way into the cryptocurrency wallets of Windows users via USB devices since February. Dubbed as a ‘crypto clipper,’ this threat is identified as Trojan:Win32/CryptoBandits in their Defender Antivirus solutions.
How Does the Malware Spread?
The malware initiates its attack through a deceptive shortcut file (.lnk), situated on an infected USB. This file, although appearing as a tool for opening programs, harnesses a potent, worm-like malware upon activation, embedding itself into the host system and setting the stage for further dissemination.
Post-installation, it runs constant background operations. Primarily, it extracts vital data from cryptocurrency wallets. Additionally, the malware vigilantly searches for any new USB drives connected to the already compromised machine, thus ensuring its ability to jump onto fresh devices and proliferate across systems stealthily.
Microsoft alerts, “The malware persistently monitors clipboard contents, seizing sensitive data like seed phrases, private keys, and transfer addresses, relaying all intercepted details through the Tor network. A significant threat arises when a user copies a wallet address; the malware can stealthily replace it with an attacker’s alternative, culminating in unauthorized fund transfers.”
Which Data Is at Risk?
The malware keeps a hawk-eye vigil on the Windows clipboard every 500 milliseconds. This near-continuous scrutiny captures crucial wallet-related details such as seed phrases or private keys from prominent wallets like Bitcoin or Ethereum. Furthermore, it covertly captures up to five screenshots at frequent intervals, relaying them to external entities.
A major peril is its ability to substitute transfer addresses discreetly. Users copying a recipient address may unknowingly end up facilitating a transaction to an attacker-controlled address, endangering their crypto assets without any overt signs.
Additionally, this ‘USB conduit’ is particularly crucial. When encountering a clean USB, the malware inspects for files—Word, Excel, or PDFs—converting them into similarly named shortcut files, thereby infecting the drive without raising an alarm, continuing the infection cycle when connected elsewhere.
- Disabling AutoRun for removable media is recommended by Microsoft.
- Block .lnk file execution on USBs using group policies.
- Restrict script hosts like wscript.exe and cscript.exe.
- Run scans for indicators pointing towards potential compromises.
Heightened vigilance is essential with constant checks for suspicious connections or activities, especially surrounding the Tor proxy on port 9050, as part of incorporating robust cybersecurity measures in response to this rising menace. Following preventive steps is vital to protect valuable crypto holdings from such covert threats effectively.
