A USB-based worm has been spreading clipboard-stealing malware that targets cryptocurrency wallets and uses the Tor network to hide communication, according to a technical analysis published after activity observed since at least February.
KEY FACTS
- Delivery The campaign uses LNK shortcut files on USB drives to start the malware.
- Theft The clipper monitors clipboard contents and swaps wallet addresses with attacker-controlled ones.
- Stealing It also looks for seed phrases, private keys, and screenshots.
- Spread The worm copies itself to newly connected removable drives and creates more malicious shortcuts.
- Network use Communications are routed through Tor and a .onion address.
The infection chain begins when a victim opens the shortcut file, which triggers code staged from a .ONION address. The malware then scans the system for document files, hides the originals, and replaces them with shortcut files that use the same names.
A scheduled task watches for new USB storage devices. When a removable drive appears, the worm copies itself to the device and adds more malicious shortcuts, which helps it continue spreading between systems.
The report says the stealer checks whether Task Manager is inactive before contacting its command-and-control host through a Tor executable named ugate.exe. Every half second, it inspects the clipboard for 12-word and 24-word BIP39 seed phrases, Ethereum private keys, Bitcoin wallet formats, Tron addresses and Monero addresses.
It also captures five screenshots every 10 seconds and sends them out with curl. The disclosure says the malware can support remote code execution through a C2 EVAL instruction that downloads JavaScript into a file named cfile and runs it on the infected system.
Microsoft said the strongest signs of infection are behavioral rather than signature-based. It recommended watching for activity from wscript.exe and cscript.exe, unexpected launches of curl, PowerShell and cmd.exe, and connections to localhost:9050 or other Tor proxy activity.
WHY IT MATTERS
The campaign combines self-spreading behavior with wallet theft, which can make infections harder to spot and contain. Its use of removable media and Tor also complicates detection on networks where USB devices and encrypted proxy traffic are allowed.