A new trojan – specifically built by Qulab to steal data and hijack clipboards – was found in numerous crypto-related, fraudulent Youtube videos scamming investors into downloading a free bitcoin (BTC) generating tool.
Reported by BleepingComputer on May 29th, security researcher Frost was the first to come across this type of trojan, and stated that despite the ongoing effort from Youtube to remove the scam videos, new accounts and content with the trojan would keep surfacing.
The fraudulent videos reportedly promoted a program, which gave gullible victims a false hope of acquiring free Bitcoin, with an address to the download site in the description, which contains the Qulab trojan. After being installed into the victims’ computers, Qulab will start its job, infecting the computers.
Aside from illegally acquiring users’ personal information from the browser, the Qulab trojan also attempts to cryptocurrency. Due to the crypto addresses nature of having long strings of characters, users tend to save them onto the Windows clipboards. Qulab will scan the addresses and replace them with wallets in the possessions of the scammers, and when the customers paste the strings onto the browser to conduct transactions, they will unknowingly send their assets into the bad guys’ accounts instead.
Frost commented that this particular method proved to be effective, as few users actually managed to remember their long crypto addresses, thus would pay no mind to the fact that the address they are using is a fake one.
As stated by Fumko, the Qulab trojan is able to identify numerous crypto addresses of major coins, such as bitcoin, bitcoin cash, cardano, ether, litecoin, monero, and more.