Threat actors targeting cryptocurrency wallets have been distributing clipboard-stealing malware with self-spreading capabilities and using the Tor network to conceal communication.
The campaign has been active since at least February and relies on LNK (shortcut) files on USB drives to push clipper malware that monitors clipboard contents and replaces cryptocurrency wallet addresses with ones controlled by the attacker.
Additionally, it monitors for seed phrases and private keys, and can capture screenshots that are exfiltrated over Tor.
Infection and worm propagation
Microsoft says that the infection process starts with the victim opening the LNK file, triggering the malware on the USB drive. Additional payloads are staged from a .ONION address.
A local scan searches for document files on the system. When such files are found, the malware hides the originals and replaces them with malicious shortcuts bearing the same names. This causes the malware to execute when users attempt to open the documents.
The worm creates a scheduled task that monitors for newly connected USB storage devices. When a removable drive is connected, the malware it copies itself to the device and creates additional malicious shortcut files.
Execution flow overview Source: Microsoft
Data stealer
The stealer component in the malware executes after checking that Task Manager is inactive, establishing communications with the command-and-control (C2) host using a Tor executable (ugate.exe).
Every half a second, the malware checks the clipboard for the following data:
12-word BIP39 seed phrases
24-word BIP39 seed phrases
Ethereum private keys
Bitcoin WIF keys
Bitcoin legacy, P2SH, Bech32, and Taproot wallet addresses
Tron wallet addresses
Monero wallet addresses
The targeted addresses are chosen based on their starting digits or characters to partially resemble the attackers’ wallet addresses, to lower the chance of the user discovering the fraud at a quick glance.
Function to replace the wallet address Source: Microsoft
Apart from monitoring the clipboard, the malware also captures five screenshots of the victim’s screen every ten seconds and sends them to the C2 using the curl tool.
According to Microsoft, there is also support for remote code execution, which can be triggered by a C2 EVAL instruction. Specifically, the malware downloads JavaScript content into a file named ‘cfile,’ and executes it on the infected machine.
The researchers say that the strongest indicators of an infection are behavioral rather than signature-based, and recommend monitoring for process activity on wscript.exe and cscript.exe, unexpected launches of curl, PowerShell, and cmd.exe, along with unusual child processes.
Also, connections to ‘localhost:9050’ and Tor proxy activity are red flags associated with this campaign.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now
<small>Source: Bleeping Computer</small>
