YouTube Cryptocurrency Videos are Used by Attackers to Inject Trojan Into System

A new scam campaign is using YouTube videos to introduce cryptocurrency generating tool which claims to generate free bitcoins for the users. Whereas in actual it is a Trojan to steal information and fetch clipboard data.

Frost, a security research tracked this campaign for almost 15 days. According to him, YouTube keeps removing those user and delete their videos but scammers make another account and upload their videos again.

The main purpose of these videos to promote a free tool which claims to generate bitcoins.

Apparently, a link in the description of the video was given to download the tool but in reality it was a Trojan.

By clicking that link, users are directed to a page consisting of a Setup.exe file. By downloading, and running the file, Qulab Trojan is injected into the system.

YouTube scam pushing the payload is basically a Trojan for stealing information and taking over the clipboard data.

By performing it, Trojan will be copied to system directory from where it will launch on its own.

As per Fumko, Qulab steals browsing history, browser IDs that are saved, cookies and the credentials saved in FileZilla, Discord, and Steam credentials. A code in Trojan is also capable of stealing different formats of files including .txt, .maFile, and .wallet files saved on the system.

The clipboard hijacking by Qulab keep checking the clipboard of the computer and when the required data is spotted, it is replaced with data of hackers’ choice.

Qulab is in search of cryptocurrency addresses, and as soon as it is copied in Clipboard, the attacker will replace it with the address he wants to.

It is hard to remember the cryptocurrency addresses, therefore users are unable to detect the changes brought in by the attackers by hijacking the Clipboard and they insert the changed address into the website.

As per the analysis of Fumko, the following Cryptocurrency addresses are supported by Qulab:

A telegram, which looks something like this, is sent by Trojan to the attacker when the stolen data is compiled.

In case, Trojan has affected your system, it is highly recommended to change the passwords of all financial accounts and the websites you visited. Create strong passwords which are hard to guess with the help of a password manager to keep yourself secure.

Hat Tip: Bleepingcomputer.

Read next: 8 Ways to Protect Yourself When Surfing the Web on a Mac
Previous Post Next Post