Microsoft identifies USB worm that hijacks crypto wallets

Microsoft identified a worm that has been spreading via USB drives since February and targets Windows users' crypto wallets. The company calls the malware a "crypto clipper" and Microsoft Defender flags it as Trojan:Win32/CryptoBandits. The infection begins when an infected USB drive contains a malicious .lnk shortcut.

Plugging in the drive and clicking the shortcut installs the worm, which both runs the wallet-stealing code and waits for a clean USB to be connected to the same PC. The malware monitors the Windows clipboard roughly every 500 milliseconds for seed phrases, private keys and recipient addresses, exfiltrates captured data over the Tor network and captures five screenshots ten seconds apart.

It can also silently replace a copied recipient address with an attacker-controlled address before a user pastes it. To propagate, the worm scans clean USB drives and replaces ordinary files with identically named shortcut files, continuing the cycle.

microsoft, usb worm, crypto clipper, cryptobandits, lnk shortcut, clipboard hijack, seed phrases, private keys, tor network, wallet stealing