Scammers Clone Cryptohopper Site to Seed Bitcoin Malware
With the growing ubiquity of bitcoin and other digital assets, bad actors are now working round the clock, trying to formulate near fail-proof ways of stealing the virtual currencies of unsuspecting victims. Now, these “cryptothieves” have cloned the Cryptohopper bitcoin trading platform in a bid to plant various crypto-stealing malware, reports Bleeping Computer on June 5, 2019.
According to a report by Bleeping Computer, cyberpunks have developed a clone of Cryptohopper, an automated cloud-based bitcoin trading bot, in a bid to propagate various malware payloads on the system of its victims’ including information-stealing Trojans, clipboard hijackers, and stealthy miners.
Reportedly, the malware was discovered by cybersecurity researcher, Fumik0 and once a victim visits the fake platform, a Setup.exe executable file is automatically installed on the victim’s computer.
To make the site look legit, the Setup.exe executable uses the Cryptohopper logo as its icon, whereas in reality, it houses the Vidar information-stealing Trojan.
Per the researchers report, when Vidar is executed, it goes ahead to download other libraries, while also installing two Qulab trojans. One of the trojans functions as a cryptocurrency miner and the other acts as a clipboard hijacker.
The Trojans are designed to create a scheduled task which launches the clipper and miner executables every minute.
After successfully setting up itself and creating the scheduled task, the Vidar trojan will start stealing important data from the host computer, including browser cookies, browser history, saved login details, cryptocurrency wallet addresses Authy 2FA authenticator databases and more.
The stolen information will then be compiled under a randomly named directory in the %ProgramData% folder and sent to a remote server controlled by the attackers.
Once the stolen information is sent to the hackers, the collection of files are removed from the victim’s computer, leaving behind a “directory full of empty folders.”
The Qulab trojan which is also downloaded and installed by Vidar focuses on hijacking the clipboard of the infected computer.
Qulab fishes for copied cryptocurrency wallet addresses and replaces it with that of the hackers in order to redirect the funds to their wallet.
Since cryptocurrency addresses are long and almost impossible to remember, several bitcoin and altcoin holders have fallen victim to the Qulab attack.
Sadly, the researchers have revealed that the hackers have succeeded in stealing more than 32 BTC (over $253k), as well as significant amounts of altcoins like XRP, litecoin, and others, through this means.
In related news, on June 2, 2019, BTCManager informed that researchers had discovered a new malware family called BlackSquid, which attacks web servers, network drives and removable drives, in a bid to mine monero (XMR).