A security researcher who goes under the name Frost has observed a malspam campaign that promotes bitcoin generator tool on YouTube. This campaign drops the info-stealing and clipboard hijacking Trojan ‘Qulab’.
How does this campaign work?
Qulab is an info-stealer malware that attempts to steal the browser history, saved browser credentials, browser cookies, saved credentials in FileZilla, Discord credentials, and Steam credentials. The Trojan also steals .txt, .maFile, and .wallet files from a computer.
It is also a clipboard hijacking trojan that monitors the Windows clipboard for certain data, and when detected, changes it with different data. In this campaign, Qulab scans for cryptocurrency addresses that have been copied into the Clipboard and changes it with a different address that is controlled by the attacker. The stolen data is then sent to the attackers via Telegram.