According to the report, the host for these viruses is a website imitating the website for Cryptohopper, a website that provides users tools to perform automatic cryptocurrency trading. As and when someone visits the scam site, a setup.exe installer is automatically downloaded, that infects the computer once it runs.
The scam website also displays Cryptohopper’s logo, in order to trick the user. Reportedly, a Vidar information-stealing Trojan is installed when the installer is run. This further leads to the installation of two Qulab trojans for mining and clipboard hijacking. Both the clipper and miners are deployed once every minute in order to continuously collect data.
As for Vidar information-stealing trojan, it will try to scrape user data including browser cookies, browser history, browser payment information, saved login credentials, and cryptocurrency wallets. All of the aforementioned information is periodically compiled and sent to a remote server, later the compilation is deleted.
When a user copies a string that looks like a wallet address, the Qulab clipboard hijacker will attempt to substitute its own addresses in the clipboard, allowing cryptocurrency transactions initiated by the user to get redirected to the attacker’s address instead. This hijacker has address substitutions available for ether (ETH), bitcoin (BTC), bitcoin cash (BCH), dogecoin (DOGE), dash (DASH), litecoin (LTC), zcash (ZEC), bitcoin gold (BTG), xrp, and qtum.
As per the report, one of the wallets associated with the clipper has received 33 BTC, or $258,335 at press time, via the substitution address ‘1FFRitFm5rP5oY5aeTeDikpQiWRz278L45,’ although this may not all have come from the Cryptohopper scam.
In May, a YouTube-based crypto scam campaign was discovered that lured victims with a promise of a free BTC generator. When the users ran the alleged BTC generator, that automatically downloads upon visiting the associated website, their systems would be infected with a Qulab trojan. Wherein the Qulab trojan would attempt to steal user information and run a clipboard hijacker for crypto addresses.
Image source – Pixabay.com