The Trojan scan Qulab is allegedly proliferating on YouTube through videos showcasing a free bitcoin (BTC) generator. The nefarious activity was recently reported by BleepingComputer.
Information from Frost
It was reported that Frost gave BleepingComputer information about the scam. According to the security researcher, the video sharing platform has been busy taking down the videos that were reported but new accounts with the same modus operandi continue to appear.
The videos were said to explain a tool that allows users to generate bitcoin for free. A link in the video’s description would direct users to a download window for the tool, which is actually the Qulab Trojan. The clipboard hijacker and information-stealing virus require for it to be installed before it can be deployed.
The Qulab virus would then commence stealing user information and will also try to steal crypto for the developer by looking for strings saved to Windows clipboard. It will substitute the attacker’s address in place of an address it recognizes as crypto. When a user pastes that address string on a website field to determine where their funds will be spent, they will unknowingly paste the attacker’s string and their funds will be diverted.
It’s a feasible plan since the majority of users won’t remember their intended cryptocurrency address. It won’t even visibly register to most people if these long strings of characters have been changed.
A Fumko reported confirmed that there’s a sizeable list of cryptocurrency addresses that the Qulab can recognize. This include addresses for bitcoin, bitcoin cash, ether, monero, litecoin and others.