Microsoft discovers new lightweight backdoor that steals cryptocurrency

Microsoft says it has detected a new self-propagating worm that spreads via USB drives and searches for cryptocurrency credentials, which it then sends to attacker-controlled servers. The company named the malware Crypto Clipper because it monitors device clipboards for patterns that match wallet addresses or seed phrases.

When it finds credentials, the malware also captures five screenshots over a 10-second period. Both the credentials and the screenshots are sent to the attacker through Tor, a network that routes traffic through redundant nodes to prevent logs from linking sending and receiving IP addresses.

Crypto Clipper establishes the Tor connection by using a SOCKS5 proxy, a network protocol that sends traffic through a proxy server, which then forwards it to its final destination. Microsoft said the execution of this clipper is notable because it does not depend on a traditional installer or exposed IP-based C2 infrastructure.

microsoft, crypto clipper, malware, usb worm, clipboard hijack, wallet address, seed phrase, tor network, socks5 proxy, screenshots