New Website Spreading Crypto Malware Discovered
According to a news report on June 05, a malware researcher who goes by the name Fumik0_ on Twitter has discovered a new website that is spreading crypto malware. This website imitates another website, Cryptohopper, which is a website that offers tools that can be used for automated trading in various cryptocurrency marketplaces.
How the Malware Works
This new website which impersonates Cryptohopper spreads malware such as information-stealing Trojans, clipboard hijackers and miners. With this new campaign, a replica of the original trading platform has been created. So, when users mistakenly visit the copy, a Setup.exe executable is automatically downloaded onto their systems.
This Setup.exe executable sports the Cryptohopper logo, making it seem an authentic offering from the platform. However, in reality, it is the Trojan called Vidar.
When it is executed, this variation of Vidar will download the relevant libraries and then install another two Trojans called Qulab. One acts as a cryptocurrency miner, while the other is a clipboard hijacker. Added to that, tasks will be created that will launch the two Trojans every one minute.
Then, Vidar begins to collect data from the user’s system and compiles it under a randomly named directory in the Program Data folder. The information that is collated is browser cookies, browsing history, payment information from browsers, saved login details, crypto wallets, text files, autofill information for browser forms, 2FA authenticator databases, screenshots of desktops and much more.
All this information is then uploaded to a remote server and is collected by the attackers. The sent files are all removed from the user’s system, leaving behind empty folders.
When the Qulab clipboard hijacker recognizes that a user has copied what looks like a cryptocurrency wallet address onto the clipboard, the Trojan will try to substitute the attacker’s addresses there. This way, any crypto transactions carried out by the user will get redirected to the hijacker’s address.
The malware has address substitutions for cryptos such as Bitcoin (BTC), Ether (ETH), Dash (DASH), Bitcoin Cash (BCH), Dogecoin (DOGE), zCash (ZEC), qtum, Litecoin (LTC), Bitcoin Gold (BTG), Ripple (XRP).
According to reports, one wallet associated with this malware has already received 33 BTC, which at the time of writing, is worth $257,202. However, it is not clear if all of these funds have come in from the Cryptohopper scam.
Another Recent Malware Scam
Another scam was discovered in May. This was a YouTube cryptocurrency scam, where victims were attracted with the promise of a free Bitcoin generator. Once users ran the generator, their systems would be infected with any version of the Qulab Trojan. Then, this malware would try to steal information especially related to crypto addresses.