Microsoft discovers Crypto Clipper malware stealing cryptocurrency

Microsoft says it has detected new self-propagating malware that spreads through USB drives in search of cryptocurrency credentials, which it then sends to attacker-controlled servers. The company named the worm Crypto Clipper because it monitors the contents of device clipboards for patterns consistent with wallet addresses or seed phrases. When found, the malware also takes five screenshots over a 10-second period.

Both the credentials and the screenshots are then sent to the attacker through Tor, a network protocol that provides anonymous routing by sending traffic through redundant nodes so logs can’t capture both the sending and receiving IP addresses. Crypto Clipper establishes the Tor connection by using a SOCKS5 proxy, a network protocol that sends traffic through a proxy server, which then forwards it to its final destination. “The execution of this clipper is notable because it does not depend on a traditional installer or exposed IP-based C2 infrastructure,” Microsoft said Thursday.

“Instead, it deploys a portable Tor client, routes traffic through a local SOCKS5 proxy, and blends data theft with remote code execution, turning a financially motivated stealer into a lightweight backdoor.” The discovery of Crypto Clipper highlights the evolving threats in the cybersecurity space, particularly for cryptocurrency users. This malware's ability to spread through USB drives and evade traditional detection methods poses significant risks for individuals and businesses handling cryptocurrency. As the malware can establish a remote connection with attackers through Tor, it enables them to access sensitive information without being easily tracked.

The use of a portable Tor client and SOCKS5 proxy further complicates detection and mitigation efforts. For developers and businesses, this underscores the need for enhanced security measures, such as more robust endpoint protection and user education on safe practices when handling cryptocurrency. For consumers, it's a reminder to remain vigilant about the devices they use for cryptocurrency transactions and to consider using additional security software to protect against such threats.

The impact of Crypto Clipper also raises questions about the future of cryptocurrency security and whether current measures are sufficient to combat increasingly sophisticated attacks.