Reported by Bleeping Computer on June 5th, a new website was set up to be the spreading source of these malware, which impersonates Cryptohopper crypto trading ste – a place enables users to design models, which accommodate automatic crypto trading on many markets.
Whenever a victim visits the address containing malware, a setup.exe installing tool will be instantly downloaded to their computing system, and will begin releasing the malwares. The logo of Cryptohopper will also be shown on the setup panel, in an effort to divert the blame to the legitimate page.
When the installing process is complete, a new information-stealing Trojan – called Vidar – will be let loose, which then release 2 new Qulab trojans, one will perform as a miner while the other will hijack clipboards. The mining and clipboard hijacking duo will be launched by the minute to steal personal data,
As for the Vidar Trojan, it will be stealing browser cookies, browser history, browser payment information, saved login credentials, and cryptocurrency wallets from the computer. Vidar will consolidate the information and transfer it to a remote server, and will be erased after a while.
The Qulab Trojan, which handles clipboard hijacking, will replace itself into whichever strings that may potentially be a crypto address, which the users has copied onto the clipboard. In this way, any crypto-related trading will go to the Trojan’s address instead of the victim’s wallet.