According to the report, the host for transmitting these viruses is a website that imitates the website for Cryptohopper, a website where users can program tools to perform automatic cryptocurrency trading.
When the scam site is visited, it reportedly automatically downloads a setup.exe installer, which will infect the computer once it runs. The setup panel will also display the logo of Cryptohopper in another attempt to trick the user.
Running the installer is said to install the Vidar information-stealing Trojan, which further installs two Qulab trojans for mining and clipboard hijacking. The clipper and miners are then deployed once every minute in order to continuously collect data.
The Vidar information-stealing trojan itself will attempt to scrape user data such as browser cookies, browser history, browser payment information, saved login credentials, and cryptocurrency wallets. The information is periodically compiled and sent to a remote server, after which the compilation is deleted.
The Qulab clipboard hijacker will attempt to substitute its own addresses in the clipboard when it recognizes that a user has copied a string that looks like a wallet address. This allows cryptocurrency transactions initiated by the user to get redirected to the attacker’s address instead.
This hijacker has address substitutions available for ether (ETH), bitcoin (BTC), bitcoin cash (BCH), dogecoin (DOGE), dash (DASH), litecoin (LTC), zcash (ZEC), bitcoin gold (BTG), xrp, and qtum.
One wallet reportedly associated with the clipper has received 33 BTC, or $258,335 at press time, via the substitution address ‘1FFRitFm5rP5oY5aeTeDikpQiWRz278L45,’ although this may not all have come from the Cryptohopper scam.
As previously reported, a YouTube-based crypto scam campaign was discovered in May, luring in victims with the promise of a free BTC generator. After users ran the alleged BTC generator, which was automatically downloaded by visiting the associated website, they would be infected with a Qulab trojan. Then, the Qulab trojan would attempt to steal user information and run a clipboard hijacker for crypto addresses.