Microsoft Warns of New USB-Based Malware Targeting Crypto Users

Microsoft Alerts About Windows Malware That Changes Cryptocurrency Addresses

The team behind Microsoft Defender, Windows’ embedded malware and virus security tool, has warned about a new menace that uses shortcuts to infect devices, principally using USB drives.

The malware replaces files on removable media storage devices with shortcuts (.lnk files) that trigger the infection when executed, takes countermeasures against possible scanning and deletion by antivirus software, and uses anonymized Tor-powered communication to avoid detection.

At the same time, the malware propagates by copying itself to any USB drives inserted into an infected computer. It also runs a process that can execute various tasks, including changing the addresses copied by users into the clipboard of the infected device.

The malware, which continuously runs on the affected device, scans memory for what Microsoft calls “high-value financial artifacts,” detecting 12 or 24-word BIP39 seed phrases in clipboard data and sending them to the attackers, along with five screenshots to give context about the wallet contents and the funds it contains.

In addition, the crypto clipper scans for addresses of popular crypto projects, including bitcoin, tron, and monero, in memory every 500 milliseconds.

If it finds any, it assumes that the user is copying it to execute a transaction and changes it for a similar address, but that is under the control of the attacker to take hold of the funds sent by the users in the infected device.

“This malware family shows how lightweight, script-based stealers can deliver outsized impact when paired with anonymized communications and runtime tasking,” the Microsoft Defender team stressed.

To mitigate infections, the team recommends disabling autorun for content on all removable media and blocking the execution of shortcuts from removable drives, which have been identified as the main propagation vectors of the malware.