A cryptocurrency malware has been discovered by Twitter user and malware researcher Fumik0_ who claims that a new website is responsible for spreading it.
This website is a fake version of the website for Cryptohopper, which allows users to program tools to perform automatic cryptocurrency trading. This fake version is acting as a host for the transimission of the malware. If a user visits the scam site, their device automatically installs setup.exe installer.
This downloaded file infects the computer once it runs. The facade runs deep in order to establish itself as authentic. Which is why the setup panel also displays the logo of Cryptohopper in an attempt to convince the user of its authenticity.
Once the installer runs on the computer, it automatically installs the Vidar information-stealing Trojan, which further installs two Qulab trojans for mining and clipboard hijacking. Post that, it’s a mad scramble to collect data, whih involves the clipper and miners being deployed once every minute for the same.
The user data is then completely vulnerable and can be collected by the Vidar information-stealing trojan. It can collect user data such as browser history, browser cookies, browser payment information, saved login credentials, passwords and cryptocurrency wallets.
This information is compiled at automatic intervals and sent to a remote server, post which the compilation is deleted. The Qulab clipboard hijacker can also redirect cryptocurrency transactions initiated by the user to get redirected to the attacker’s address. This it can achieve by substituting its own addresses in the clipboard as soon as it recognizes that a user has copied a string that looks like a wallet address.
Such malware attacks have been on the rise for quite some time now, and they can impede the positive image that the industry is trying to cultivate around cryptocurrency. We need to ensure that such scams can be conveniently fought.