Microsoft Defender warned on June 17 about a new USB-based malware that targets cryptocurrency users by stealing seed phrases and replacing wallet addresses. The malware propagates through USB drives using shortcut files and uses Tor-powered communication to avoid detection. Microsoft stated the threat steals 12 or 24-word BIP39 seed phrases and scans for bitcoin, tron, and monero addresses every 500 milliseconds to redirect transactions to attacker-controlled wallets.
Malware Replaces Crypto Addresses and Steals Seed Phrases via USB Shortcuts
The Microsoft Defender team warned in a June 17 blog post that the malware replaces files on removable media storage devices with shortcuts (.lnk files) that trigger infection when executed. The malware takes countermeasures against scanning and deletion by antivirus software and uses anonymized Tor-powered communication to avoid detection.
The malware propagates by copying itself to any USB drives inserted into an infected computer. It runs a process that can execute various tasks, including changing addresses copied by users into the clipboard of the infected device.
The malware continuously runs on affected devices and scans memory for what Microsoft calls "high-value financial artifacts." It detects 12 or 24-word BIP39 seed phrases in clipboard data and sends them to attackers, along with five screenshots to give context about wallet contents and funds.
The crypto clipper scans for addresses of bitcoin, tron, and monero in memory every 500 milliseconds. If it finds any, it assumes the user is copying the address to execute a transaction and changes it for a similar address under the control of the attacker to take hold of funds sent by users in the infected device.
"This malware family shows how lightweight, script-based stealers can deliver outsized impact when paired with anonymized communications and runtime tasking," the Microsoft Defender team stated.
Microsoft Recommends Disabling Autorun and Blocking Shortcuts from Removable Drives
To mitigate infections, the Microsoft Defender team recommends disabling autorun for content on all removable media and blocking the execution of shortcuts from removable drives, which have been identified as the main propagation vectors of the malware.
FAQ
What did Microsoft Defender warn about on June 17?
Microsoft Defender warned about a new USB-based malware that steals 12 or 24-word BIP39 seed phrases and replaces cryptocurrency wallet addresses for bitcoin, tron, and monero to redirect transactions to attacker-controlled wallets.
How does the malware propagate to other devices?
The malware replaces files on removable media storage devices with shortcut (.lnk) files that trigger infection when executed, and it copies itself to any USB drives inserted into an infected computer.
What mitigation steps did Microsoft recommend?
Microsoft recommends disabling autorun for content on all removable media and blocking the execution of shortcuts from removable drives, which are the main propagation vectors of the malware.
