A new strain of malware is combining three distinct attack techniques into a single package — self-replicating through USB drives, hijacking clipboard data to steal cryptocurrency, and routing command-and-control traffic through the Tor anonymity network to evade detection. Security researchers are urging IT administrators and end users to treat removable media with heightened caution.
What It Does
The malware, reported by BleepingComputer, propagates as a worm by exploiting Windows shortcut files (LNK files) stored on USB flash drives. When a user plugs an infected drive into a machine and opens what appears to be a normal shortcut, the malicious code executes silently in the background.
Once active, the malware installs a clipboard-monitoring component that watches for cryptocurrency wallet addresses copied by the user. When it detects one, it substitutes the address with one controlled by the attackers — a classic but effective technique known as clipboard hijacking. Victims who paste what they believe is their own wallet address during a transaction unknowingly send funds to the threat actors instead.
What makes this campaign particularly dangerous is the combination of propagation and persistence. Because the malware spreads autonomously via removable drives, a single infected USB stick can compromise multiple machines across an organisation without any deliberate user action beyond plugging it in.
Why It Matters
The triple-threat design of this malware — worm propagation, clipboard theft, and Tor-based covert communications — marks a meaningful escalation in commodity malware capabilities. Each technique on its own is well-known, but bundling them together increases both the blast radius of an infection and the difficulty of remediation.
The use of Tor for command-and-control traffic is especially noteworthy. By routing communications through the Tor network, the malware makes it significantly harder for network monitoring tools to identify and block connections to the attacker's infrastructure. Traditional IP-based blocking strategies become largely ineffective against this approach.
For cryptocurrency users and organisations handling digital assets, the clipboard hijacking vector poses a direct financial risk. Unlike phishing or social engineering attacks that require a victim to take a specific action, clipboard substitution operates passively — silently redirecting funds at the moment a transaction is executed.
The worm component also transforms what might otherwise be a localised infection into a network-level concern. In enterprise environments where USB drives are routinely used for file transfer between air-gapped or restricted systems, a single compromised device could cascade across departments.
What To Do
Security professionals should consider the following countermeasures:
- Restrict USB autorun and autoplay. Ensure that Windows Group Policy settings disable the automatic execution of files from removable media. Organisations should enforce this endpoint-wide, not rely on user compliance.
- Audit and monitor clipboard activity. Endpoint detection and response (EDR) tools should be configured to flag processes that repeatedly read from or write to the system clipboard, particularly when cryptocurrency-related patterns are detected.
- Block or monitor Tor traffic. Organisations that do not have a legitimate business need for Tor should consider blocking known Tor entry node IP addresses at the network perimeter. For those that permit Tor use, enhanced logging and anomaly detection should be in place.
- Scan removable media before use. Deploy USB scanning policies that inspect all files on removable drives — including hidden and shortcut files — before allowing user access.
- Educate users on visual indicators. Encourage staff to verify wallet addresses character by character before confirming cryptocurrency transactions, rather than relying on copy-paste alone.
The emergence of this malware underscores a persistent reality in cybersecurity: well-established attack techniques remain effective when combined in novel ways and delivered through overlooked vectors. As cryptocurrency adoption grows, so too does the incentive for threat actors to target the underlying infrastructure of digital transactions. Vigilance around something as mundane as a USB stick remains as important as ever.
一種新出現的惡意軟件正將三種截然不同的攻擊技術結合成單一程式套件——它能透過 USB 隨身碟自我複製、劫持剪貼簿數據以竊取加密貨幣,並透過 Tor 匿名網絡傳輸指揮與控制通訊以規避偵測。安全研究人員正敦促 IT 管理員和終端用戶對可移動儲存媒體保持高度警惕。
運作方式
據 BleepingComputer 報告,該惡意軟件以蠕蟲形式傳播,其手法是利用儲存在 USB 隨身碟上的 Windows 捷徑檔案(LNK 檔案)。當使用者將受感染的隨身碟插入電腦並打開看似普通的捷徑時,惡意代碼便會在背景靜默執行。
一旦啟動,該惡意軟件會安裝一個剪貼簿監控元件,監視使用者複製的加密貨幣錢包地址。當偵測到地址時,它會將其替換為攻擊者控制的地址——這是一種經典但有效的「剪貼簿劫持」技術。受害者在交易過程中貼上他們認為是自己的錢包地址時,實際上是在不知情的情況下將資金發送給了威脅行為者。
這場攻擊活動特別危險之處,在於其結合了傳播與持續性。由於惡意軟件能透過可移動儲存裝置自主傳播,單一受感染的 USB 隨身碟就可能危害組織內的多部機器,而使用者除了插入隨身碟外,無需進行任何蓄意操作。
為何重要
此惡意軟件的三重威脅設計——蠕蟲傳播、剪貼簿竊取與基於 Tor 的隱蔽通訊——標誌著商品化惡意軟件能力的顯著升級。每一項技術本身都廣為人知,但它們捆綁在一起,既擴大了感染的爆炸半徑,也增加了修復工作的難度。
使用 Tor 進行指揮與控制通訊尤其值得注意。透過 Tor 網絡路由通訊,該惡意軟件使得網絡監控工具識別和阻止其與攻擊者基礎設施的連接變得極為困難。傳統的基於 IP 位址的阻擋策略對這種方法基本上無效。
對於加密貨幣使用者和處理數位資產的組織而言,剪貼簿劫持管道構成了直接的財務風險。不同於需要受害者執行特定操作的釣魚或社交工程攻擊,剪貼簿替換是被動運作的——在交易執行的瞬間靜默地重定向資金。
其蠕蟲元件也將原本可能只是局部性的感染,轉變為網絡層級的問題。在企業環境中,USB 隨身碟通常用於在氣隙隔離或受限制系統間傳輸檔案,單一被入侵的裝置就可能蔓延至各個部門。
應對措施
安全專業人員應考慮採取以下對策:
- 限制 USB 自動執行與自動播放。 確保 Windows 群組原則設定已停用可移動媒體上檔案的自動執行。組織應在所有端點強制執行此策略,而非依賴使用者遵守。
- 審計和監控剪貼簿活動。 應將端點偵測與回應(EDR)工具設定為標記那些反覆讀取或寫入系統剪貼簿的程序,特別是偵測到與加密貨幣相關的模式時。
- 封鎖或監控 Tor 流量。 對於沒有正當業務需求使用 Tor 的組織,應考慮在网络邊界封鎖已知的 Tor 入口節點 IP 位址。對於允許使用 Tor 的組織,則應實施增強的日誌記錄和異常偵測。
- 使用前掃描可移動媒體。 部署 USB 掃描策略,在允許使用者存取前,檢查可移動儲存裝置上的所有檔案——包括隱藏檔案和捷徑檔案。
- 教育使用者注意視覺指標。 鼓勵員工在確認加密貨幣交易前,逐字元驗證錢包地址,而非僅依賴複製貼上。
此惡意軟件的出現突顯了網絡安全領域一個持續存在的現實:成熟的攻擊技術在以新穎方式結合併透過被忽視的管道傳播時,仍然十分有效。隨著加密貨幣採用率的增長,威脅行為者針對數位交易底層基礎設施的動機也隨之增強。對於像 USB 隨身碟這樣平凡之物的警惕,其重要性一如既往。