- Once the visitor opens the fake site, a malicious executable ‘Setup.exe’ gets automatically downloaded onto the system.
- The ‘Setup.exe’ uses the Cryptohopper logo as its icon to fool users and evade detection.
Cybercriminals have been found to have set up a fake Cryptohopper trading platform to distribute a variety of malware. The malicious payloads include information-stealing trojans, miners and clipboard hijackers.
How does it work?
Discovered by a malware researcher whose Twitter handle goes by the name of Fumik0_, the campaign is used to deliver a variant of Vidar trojan and two Qulab trojans.
Once the visitor opens the fake site, a malicious executable ‘Setup.exe’ gets automatically downloaded onto the system. This ‘Setup.exe’ uses the Cryptohopper logo as its icon to fool users and evade detection. However, it is actually a variant of Vidar information-stealing trojan, BleepingComputer reported.
About the payloads
When executed, the variant of Vidar trojan downloads the required libraries and then installs two Qulab trojans. While one Qulab trojan acts as a miner, the other acts as clipper or clipboard hijacker.
In order to gain persistence, scheduled tasks are created on the victim’s system that can enable attackers to launch clipper and miner executable every minute.
Capabilities of Vidar trojan variant
The executed Vidar trojan variant begins its malicious activities by collecting data from machine and compiling it under a random directory in the %ProgramData% folder. The data that are stolen by the Vidar variant includes browser cookies, browser history, saved login credentials, browser payment information, cryptocurrency wallets, text files and a screenshot of the desktop.
The collected data are then uploaded to a remote server controlled by the attackers.
Capabilities of Qulab trojans
The clipper-Qulab trojan is capable of copying cryptocurrency addresses. This happens when a user copies the address from the Windows clipboard and then pastes it in another application to transfer the cryptocurrency. The trojan is capable of affecting users that trade using Ethereum, Bitcoin, Bitcoin Cash, DOGE, Dash, Litecoin, Zcash, Ripple, QTUM and Bitcoin Gold.