Malware Spreads via USB Drives to Steal Crypto Wallet Data

Malware that spreads through USB drives has targeted cryptocurrency wallets on Windows computers since February. lnk. Clicking the shortcut installs a worm that runs continuously and monitors the Windows clipboard every 500 milliseconds. When the worm detects copied seed phrases, private keys, or recipient addresses, it captures the data and sends it to attacker servers over the Tor network.

It also replaces copied recipient addresses with attacker-controlled addresses before users paste them. The worm further spreads by scanning clean USB drives for documents and replacing them with shortcut files that carry the same names.

Microsoft published indicators of compromise including file hashes and .onion domains. The company advised users to disable AutoRun for removable media, block .lnk file execution on USB drives, and restrict script hosts such as wscript.exe and cscript.exe. Security teams can run hunting queries to check for connections to a local Tor proxy on port 9050.