GoKawiilThreat actors targeting cryptocurrency wallets have been distributing clipboard-stealing malware with self-spreading capabilities and using the Tor network to conceal communication.
The campaign has been active since at least February and relies on LNK (shortcut) files on USB drives to push clipper malware that monitors clipboard contents and replaces cryptocurrency wallet addresses with ones controlled by the attacker.
Additionally, it monitors for seed phrases and private keys, and can capture screenshots that are exfiltrated over Tor.
Infection and worm propagation
Microsoft says that the infection process starts with the victim opening the LNK file, triggering the malware on the USB drive. Additional payloads are staged from a .ONION address.
A local scan searches for document files on the system. When such files are found, the malware hides the originals and replaces them with malicious shortcuts bearing the same names. This causes the malware to execute when users attempt to open the documents.
The worm creates a scheduled task that monitors for newly connected USB storage devices. When a removable drive is connected, the malware it copies itself to the device and creates additional malicious shortcut files.
Execution flow overview
Source: Microsoft
Data stealer
... continue reading