Microsoft discovers new self-propagating malware that steals cryptocurrency
Microsoft has uncovered a new worm named Crypto Clipper that spreads via USB drives, monitors clipboard content for crypto wallet addresses and seed phrases, and exfiltrates data through Tor.
New malware targets cryptocurrency credentials
Microsoft announced it has detected a new self-propagating malware that spreads through USB drives in search of cryptocurrency credentials. Dubbed Crypto Clipper, the worm monitors the device's clipboard for patterns matching wallet addresses or seed phrases. When found, it captures five screenshots over a 10-second period. Both credentials and screenshots are then sent to attacker-controlled servers via the Tor network, using a SOCKS5 proxy.
Lightweight backdoor
Microsoft noted that this malware is notable for not relying on a traditional installer or IP-based command-and-control infrastructure. Instead, it deploys a portable Tor client, routes traffic through a local SOCKS5 proxy, and blends data theft with remote code execution, turning a financially motivated stealer into a lightweight backdoor.
USB-based propagation
Microsoft observed Crypto Clipper spreading through .lnk files on USB drives. These files contain executable code. When an infected USB drive is connected to a device, the code checks if the malware is already installed. If not, it downloads the malware via the Tor proxy. To conceal its presence, the malware scans the USB drive and renames the .lnk files with similar names.
