Never underestimate the persistence of a cyber criminal in the pursuit of his target. If one avenue is successfully blocked, the crook is fully capable of having his deception scenario morph into something even more undetectable, before launching a second attack. A little over a week ago, we reported that a clever YouTube video on the web was promising a free “Bitcoin Generator”, but in reality, the downloaded software was comprised of the hideous Qulab Trojan Horse virus. It appears that the crook has “tripled down”. A clever “clone” website now downloads two Qulab and one Vidar Trojan Horses.
Be extra wary if you make a habit of visiting the Cryptohopper website, “a website where users can program tools to perform automatic cryptocurrency trading”. As reported elsewhere: “When the scam site is visited, it reportedly automatically downloads a setup.exe installer, which will infect the computer once it runs. The setup panel will also display the logo of Cryptohopper in another attempt to trick the user. Running the installer is said to install the Vidar information-stealing Trojan, which further installs two Qulab Trojans for mining and clipboard hijacking.”
For the second time in as many weeks, Bleeping Computer has broadcast a crypto fraud alert, both times involving the Qulab virus. On this occasion, a Twitter user and malware researcher that goes by the name of “Fumik0_” deserves the credit for uncovering the “clone” website doing its dirty deeds. The insidious nature of these viruses is that you may never know that you have them on your computer or hand-held device. The malware will operate silently gathering keystroke information and such, then reach out independently to its command server to dump its data. Additional search programs will ferret out logins and passwords for financial accounts for later use.
The three bits of malware in tandem will scrape just about anything of value on your device, as well as use your device for offshore mining operations, while you are sleeping. As we reported, the malware is capable of much more: “To start with, it can steal browser credentials, crypto wallet files, and clipboard information. Per one expert: The software first attempts to steal all sorts of data from the user’s browser. This includes history, saved credentials, cookies, and various social media credentials. On top of this, the Trojan can also steal .txt, .maFile, and .wallet files from a computer.”
The malware will also attempt to substitute its crypto wallet address, if and when you make a payment or transfer. It is smart enough to detect such a transaction in process and to modify any clipboard entered address. Although this viral attempt may not be totally responsible, the web address that is used to receive payments already has accumulated 33 BTC, over $250,000 by today’s valuation. If you attempt a payment or make a transfer and “1FFRitFm5rP5oY5aeTeDikpQiWRz278L45” shows up as the destination payment address, cancel the transaction, if at all possible.
Cyber criminals are getting craftier these days, especially when cryptocurrencies are involved. Do your best to stay away from mysterious websites that make outrageous claims and make doubly sure that, if you visit Cryptohopper, you are dealing with the real deal, not a cleverly disguised “clone”.