A malware researcher reportedly discovered how a new cryptocurrency website was designed to spread crypto virus.
According to a Bleeping Computer report, virus researcher Fumik0_found that the host for this malware is a clone of the Cryptohopper website. The original site is where crypto users can design and program tool that performs crypto trading.
Cloned Cryptohopper Site
When a user visits the cloned Cryptohopper site, it allegedly downloads a setup.exe installer automatically. Once it runs, the installer will infect the device. The scam is so well done that it even displays the Cryptohopper logo in the setup panel in a bid to keep the user unaware that it’s being tricked.
The report states that running the program will install the Vidar Trojan, which steals information. It also sets up a pair of Qulab Trojans for clipboard and mining hijacking. The malware are then utilized once every 60 seconds so it collects data continuously.
The Vidar Trojan will try to scrape user information such as browser history and cookies, login credentials, crypto wallets, and payment information. The accumulated data is compiled periodically and sent to a remote server. The data is then deleted.
Meanwhile, the Qulab Trojan will try to substitute set addresses in the clipboard when it discovers that a user has copied or saved a string that’s similar to a wallet address. This lets crypto transactions started by the user to be switched to the scammer’s address instead.
The clipboard hjacker has substitute addresses for bitcoin (BTC), bitcoin cash (BCH), bitcoin gold (BTG), dash (DASH), dogecoin (DOGE), ether (ETH), litecoin (LTC), xrp, qtum, and zcash (ZEC).