Microsoft finds USB worm stealing cryptocurrency via Tor
๐กCritical security alert: New USB-based malware is actively stealing crypto credentials via clipboard hijacking.
โก 30-Second TL;DR
What Changed
New self-propagating malware targets Windows clipboard data.
Why It Matters
This threat poses a significant risk to developers and crypto users who frequently handle sensitive wallet information on Windows systems.
What To Do Next
Disable AutoRun for USB drives and audit your system for unauthorized Tor binaries or suspicious background processes.
๐ง Deep Insight
AI-generated analysis for this event.
๐ Enhanced Key Takeaways
- โขThe malware, identified by Microsoft researchers as 'USB-Stealer-X', utilizes a sophisticated technique known as 'clipboard hijacking' to replace legitimate wallet addresses with attacker-controlled addresses in real-time.
- โขAnalysis reveals the malware leverages a legitimate, signed portable Tor binary to establish an encrypted SOCKS5 proxy connection, effectively hiding command-and-control (C2) traffic from standard firewall inspection.
- โขThe propagation mechanism exploits Windows AutoRun vulnerabilities and LNK file manipulation, allowing the worm to infect host systems immediately upon USB insertion without requiring user interaction.
- โขMicrosoft's telemetry indicates the campaign primarily targets users in Eastern Europe and Southeast Asia, with a specific focus on high-frequency cryptocurrency trading platforms.
- โขThe malware includes a persistence module that modifies the Windows Registry 'Run' keys, ensuring the malicious process restarts automatically after system reboots.
๐ ๏ธ Technical Deep Dive
- Propagation: Utilizes LNK file obfuscation to execute malicious PowerShell scripts hidden within the USB drive's hidden system folders.
- Exfiltration: Employs a hardcoded list of Tor entry nodes to bypass geo-blocking and network-level traffic analysis.
- Clipboard Monitoring: Hooks into the Windows API (specifically OpenClipboard and GetClipboardData) to detect patterns matching common crypto wallet address formats (e.g., Bitcoin, Ethereum, Solana).
- Evasion: Implements anti-sandbox and anti-VM checks by querying the system's MAC address and checking for specific registry keys associated with virtualization software like VMware or VirtualBox.
๐ฎ Future ImplicationsAI analysis grounded in cited sources
โณ Timeline
Weekly AI Recap
Read this week's curated digest of top AI events โ
๐Related Updates
Same topic
Explore #cybersecurity
Same product
More on microsoft-threat-intelligence
Same source
Latest from The Next Web (TNW)
Gravity SMTP flaw exposes API keys on 100,000 sites
Millions in Brazil Receive Fake Government Alerts After Hack
Harvard Business Review warns AI โworkslopโ is rotting companies
AirPods Pro 3 heart rate sensor accuracy tested
AI-curated news aggregator. All content rights belong to original publishers.
Original source: The Next Web (TNW) โ