YouTube videos promoting ‘bitcoin generator’ tool drops Qulab malware

• Qulab is an info-stealer malware that attempts to steal the browser history, saved browser credentials, browser cookies, saved credentials in FileZilla, Discord credentials, and Steam credentials.
• It is also a clipboard hijacking trojan that monitors the Windows clipboard for cryptocurrency addresses that have been copied into the Clipboard and changes it with a different address that is controlled by the attacker.

A security researcher who goes under the name Frost has observed a malspam campaign that promotes bitcoin generator tool on YouTube. This campaign drops the info-stealing and clipboard hijacking Trojan ‘Qulab’.

How does this campaign work?

• Attackers will upload a series of videos promoting the ‘bitcoin generator’ tool on YouTube.
• The videos include the link to download the tool in its description.
• Upon clicking the download link, viewers will be redirected to a page offering Setup.exe file.
• Once viewers download and run the Setup.exe file, Qulab trojan will be dropped to their machines.
• Once executed, the Qulab trojan will copy itself to %AppData%\amd64_microsoft-windows-netio-infrastructure\msaudite.module.exe and launch itself from that location.

Qulab trojan

Qulab is an info-stealer malware that attempts to steal the browser history, saved browser credentials, browser cookies, saved credentials in FileZilla, Discord credentials, and Steam credentials. The Trojan also steals .txt, .maFile, and .wallet files from a computer.

It is also a clipboard hijacking trojan that monitors the Windows clipboard for certain data, and when detected, changes it with different data. In this campaign, Qulab scans for cryptocurrency addresses that have been copied into the Clipboard and changes it with a different address that is controlled by the attacker. The stolen data is then sent to the attackers via Telegram.