In line with a recent report published by ‘BleepingComputer’, the Qulab information-stealing & clip-board hijacker trojan is being spread on YouTube via illicit videos about an allegedly free Bitcoin [BTC] generator.
As per the report, security researcher named ‘Frost’ contacted BleepingComputer concerning this trojan scam, adding that YouTube would take down the illicit videos once reported, but new accounts and videos would lately pop-up with same MO.
The videos reportedly describe a tool that lets users earn free Bitcoin, with a link within the video description. The links then direct to a transfer for the alleged tool, that is a Qulab trojan. Once downloaded, the trojan actually needs be installed in order for it to be deployed.
Additionally, attempting to steal users information, the Qulab trojan also reportedly attempts to sneakily steal cryptocurrency for the bad actor by scanning for strings linked to the Windows clip-board that the program acknowledges as cryptocurrency addresses, and then switching in the attacker’s address instead.
If a user pastes that string into a web-site field to specify where their funds are actually spent, they will paste in the attacker’s string instead and thereby redirects the funds there.
The warning indicates that this is often a viable strategy, since the users are reportedly unlikely to recollect or visually register that their intended ‘cryptocurrency‘ address – a string of long characters – has been swapped out for a unique one.
As per a ‘report‘ by Fumko, there’s a long list of cryptocurrency addresses the trojan can acknowledge, as well as ones for Bitcoin [BTC], Bitcoin Cash [BCH], Cardano [ADA], Ethereum [ETH], Litecoin [LTC], Monero [XMR], along with others.
As ‘reported‘ earlier, YouTube supposedly advertised malware disguised as an advertisement for Bitcoin wallet ‘Electrum’ earlier in March. Reddit user named ‘mrsxeplatypus’ explained this as a scam, based on URL hijacking:
“The malicious advertisement is disguised to appear alike real Electrum advertisement […] It even tells you to go to the genuine link [electrum.org] within the video but after you click on the advertisement it directly starts downloading the malicious EXE file. As you’ll be able to see in the image, the URL it sent me to is elecktrum.org, not electrum.org.”