Malicious actors targeting cryptocurrency wallets distribute clipboard-stealing malware with self-propagating capabilities and use the Tor network to conceal communications.
The campaign has been active since at least February and relies on LNK (shortcut) files on USB drives to distribute Clipper malware that monitors clipboard contents and replaces cryptocurrency wallet addresses with those controlled by the attacker.
Additionally, it monitors seed phrases and private keys and can capture screenshots that are exfiltrated via Tor.
Infection and spread of worms
Microsoft claims that the infection process begins when the victim opens the LNK file, triggering the malware on the USB drive. Additional payloads are transferred from a .ONION address.
A local scan searches for document files on the system. When such files are found, the malware hides the originals and replaces them with malicious shortcuts with the same names. This causes the malware to run when users try to open the documents.
The worm creates a scheduled task that monitors newly connected USB storage devices. When a removable drive is connected, the malware copies itself to the device and creates additional malicious shortcut files.
Execution flow overview
Source: Microsoft
Data thief
The thief component of the malware runs after verifying that Task Manager is inactive, establishing communications with the command and control (C2) host using a Tor executable (ugate.exe).
Every half-second, the malware checks the clipboard for the following data:
12-word BIP39 seed phrases 24-word BIP39 seed phrases Ethereum private keys Bitcoin WIF keys Bitcoin Legacy, P2SH, Bech32, and Taproot wallet addresses Tron wallet addresses Monero wallet addresses
Targeted addresses are chosen based on their starting numbers or characters to partially resemble the attackers’ wallet addresses, to reduce the chances of the user discovering the fraud with just a glance.
Function to replace wallet address
Source: Microsoft
In addition to monitoring the clipboard, the malware also captures five…
..
