Microsoft Warns of USB Malware That Replaces Cryptocurrency Wallet Addresses

Microsoft has warned about an active malware campaign targeting cryptocurrency users through clipboard hijacking and infected USB drives. The campaign, which researchers say has been active since at least February, can silently replace copied cryptocurrency wallet addresses with attacker-controlled addresses, potentially redirecting funds to cybercriminals.

According to Microsoft’s security researchers, the malware spreads through malicious LNK shortcut files placed on removable USB drives. When a victim opens one of these shortcut files, malicious code executes directly from the USB device and downloads additional payloads through a Tor-based infrastructure.

Malware Spreads Through Fake Document Shortcuts

After infecting a system, the malware searches for document files stored on the computer. It then hides the legitimate files and replaces them with malicious shortcut files that use the same names and icons.

As a result, users who attempt to open what appears to be a normal document unknowingly execute the malware instead.

The malware also establishes persistence by creating a scheduled task that monitors for newly connected USB drives. When a removable drive is detected, the malware copies itself to the device and creates additional malicious shortcut files, allowing it to spread to other systems.

Clipboard Hijacking Targets Cryptocurrency Wallets

One of the most dangerous components of the malware is its clipboard-stealing functionality.

Microsoft says the malware monitors clipboard contents every half-second, looking for cryptocurrency-related information. When it detects a wallet address, it replaces the copied address with one controlled by the attacker.

The malware can identify a wide range of cryptocurrency data, including BIP39 seed phrases used for wallet recovery, Ethereum private keys, Bitcoin Wallet Import Format (WIF) keys, and cryptocurrency wallet addresses across multiple blockchains.

Researchers observed support for several popular cryptocurrencies, including Bitcoin, Ethereum, Tron, and Monero.

To avoid raising suspicion, the attacker-controlled replacement addresses are designed to partially resemble the original wallet addresses, making fraudulent transactions harder to detect during quick visual checks.

Tor Network Helps Hide Activity

The malware uses the Tor network to conceal command-and-control communications and downloaded payloads. Additional malware components are retrieved from an .ONION address that is inaccessible through standard web browsers.

Researchers also found that the stealer component checks whether Windows Task Manager is running before activating, likely as an attempt to avoid detection by users investigating suspicious system activity.

Beyond clipboard theft, the malware can repeatedly capture screenshots of the victim’s screen and upload them to attacker-controlled servers. It also supports remote code execution, allowing threat actors to run additional commands on compromised devices.

Indicators of Compromise

Microsoft says behavioral monitoring offers a more reliable way to detect this campaign than traditional signature-based detection.

Security teams should watch for unusual activity involving wscript.exe, cscript.exe, PowerShell, cmd.exe, and curl.

Researchers also recommend monitoring for unexpected Tor-related activity, including connections to localhost:9050, which may indicate the presence of a Tor proxy used by the malware.

How to Protect Yourself

Users can reduce their risk by following several basic security practices:

• Avoid connecting unknown USB drives to computers.
• Verify cryptocurrency wallet addresses before sending funds.
• Check the beginning and end of wallet addresses after pasting them.
• Use endpoint security solutions with behavioral detection capabilities.
• Monitor systems for unusual Tor-related network traffic.

The campaign serves as another reminder that cryptocurrency users remain a prime target for cybercriminals, particularly through malware designed to manipulate clipboard contents and intercept wallet transactions.

In related Microsoft security news, the company recently confirmed it is working on a fix for the RougePlanet exploit, addressed the Copilot SearchLeak vulnerability, and warned that Microsoft Teams is being abused by the Backdoor.Turn malware campaign.

Via BleepingComputer