According to Microsoft’s cybersecurity researchers, there is a new sophisticated cryptocurrency theft campaign.
"CryptoBandits," which is the quirky name of the aforementioned campaign, takes typical "clipper" malware to a whole new level.
Traditional "clipper" malware has been around for ages. If it detects that you have copied a cryptocurrency wallet address, it swaps it out for the attacker’s address.
The new malware replaces copied crypto addresses with the attacker's wallet. It spreads via infected USB drives by disguising itself as regular documents. Moreover, communications are routed through a hidden "dark web" Tor network.
After ending up on the victim's computer, the malware, which gets through via a USB, searches for common files (like .doc, .pdf, or .xlsx), hides them, and creates malicious shortcut files (.lnk) with the exact same names. Double-clicking the shortcut silently launches the infection.
Then, a portable Tor client gets installed to route all its internet traffic via a hidden proxy.
It checks the clipboard of its potential victim every half-second for "seed phrases" and replaces it with a similar address (which, of course, is malicious).
What makes it so potent
Notably, the campaign does not rely on massive installer files that can be easily detected. It actually uses built-in Windows scripting tools, which is exactly why it is so potent. This makes it extremely difficult for antivirus software to catch simply by scanning files.
How to protect yourself
PC users have been advised to be USB-cautious, meaning that they should think carefully before sticking unknown flash drives into their computers. One should always double-check addresses and never rely solely on one's clipboard. Finally, one should also take care of their security tools, making sure that Microsoft Defender remains up to date.
U.Today Editorial Team
Dan Burgin
