Since February, a worm called Trojan:Win32/CryptoBandits has been spreading via infected USB drives to target Windows users' crypto wallets. The malware, described as a 'crypto clipper,' infects a PC through a malicious .lnk shortcut file, then monitors the Windows clipboard every 500 milliseconds for seed phrases, private keys, and recipient addresses. When it detects a copied recipient address, it silently replaces it with an attacker-controlled address, redirecting funds. The malware exfiltrates data over the Tor network and also takes screenshots. To propagate, it replaces legitimate files on clean USB drives with identically named .lnk shortcuts. Microsoft advises disabling AutoRun, blocking .lnk execution on USB media, and restricting script hosts. Indicators of compromise, including file hashes and .onion domains, have been published for network checks.

Key facts

• Trojan:Win32/CryptoBandits spreads via infected USB drives since February.
• Malware intercepts clipboard data, swaps recipient addresses to steal crypto.
• Exfiltrates data over Tor network and takes five screenshots.
• Propagates by replacing files on clean USBs with malicious shortcuts.
• Microsoft recommends disabling AutoRun and blocking .lnk on USB drives.

KeyAudit data perspective