Microsoft warns users of 'Crypto Clipper' malware spread via USB drives

The malware blends data theft with remote code execution, “turning a financially motivated stealer into a lightweight backdoor,” Microsoft said.

Microsoft Threat Intelligence is warning Windows users about a cryptocurrency clipper strain of malware transmitted via USB drives. 

The malware, which has been affecting users since February, steals clipboard data to extract wallet credentials using “high-frequency clipboard theft, screenshot exfiltration, and wallet-address substitution,” Microsoft said Wednesday.

The crypto clipper also hides legitimate files and replaces them with lookalike shortcuts, so victims unknowingly execute malware while a worm component propagates automatically to USB storage devices. 

This malware is insidious because it's more than just an info stealer, it functions as a backdoor, meaning that attackers can push and execute arbitrary code on infected machines at any time, turning a simple crypto theft into a persistent foothold for ransomware. 

The execution of this clipper is also notable because it does not depend on a traditional installer or exposed IP-based infrastructure, the Microsoft researchers said.

The malware deploys two obfuscated JavaScript payloads in the Windows Documents directory and creates scheduled tasks for both the worm and stealer components.

The malware also secretly installs a copy of Tor on the victim’s computer but renames it ugate.exe to disguise it as something innocent. It then uses the anonymizing Tor network to connect to its malicious operators at hidden “onion” addresses.

Related: ‘TrapDoor’ malware targets crypto dev tools in supply chain attack

“The combination of Tor-routed C2, clipboard targeting, screenshot capture and remote code execution gives attackers both immediate monetization paths and continued control over compromised devices,” Microsoft said. 

Crypto clipper execution flow. Source: Microsoft

The crypto clipper focuses on “high-value financial artifacts” from the clipboard, including BIP39 mnemonic seed phrases and Bitcoin and Ethereum private keys.