Fraudsters have cloned the website of trading bot maker Cryptohopper to distribute malware to visitors’ computers, Bleeping Computer reported on June 5.
The fake website was first discovered by the malware researcher Fumik0_ who found out that it was injecting information-stealing Trojans, miners, and even clipboard hijackers.
Vidar behind a fake CryptoCurrency trading software with a fancy website (4962c0afb925d23013f6c80433f0a453), pushing also two Qulab Variants (Clipper only & Miner variant). An example among other about the aggressive focus on Cryptocurrencies these days. pic.twitter.com/TFrzabHHHa
— Fumik0_ (@fumik0_) June 5, 2019
Classic and sophisticated
When someone visits the scam website, it automatically downloads an executable file on the victim’s computer, and when it is installed, it infects the computer with the malware. The installation prompt even shows the logo of Cryptohopper to trick the victims.
Per the report, the installer installs a Trojan called Vidar. This steels information from the computer including browser cookies, browser history, browser payment information, saved login credentials, cryptocurrency wallets, text files, browser form autofill information, and Authy 2FA authenticator databases.
CEO Spotlight: Alon Rajic on the Future of UK/EU Trade and EconomicsGo to article >>
It also installs two more Qulab trojans for mining and clipboard hijacking. Both these Trojans are executed every minute to collect user data.
All the collected information is then uploaded to a remote server from where the attackers scrape the data.
The attackers are cautious enough to delete every piece of data from the victim’s computer, leaving behind a directory of empty folders.
Moreover, to directly steal cryptocurrencies, the Trojans automatically replace the attacker’s crypto wallet address on the clipboard when it detects the victim has typed in a cryptocurrency wallet address.
The report recorded a few addresses substituted on the victim’s clipboard which consists of wallet addresses of Bitcoin, Ethereum, Bitcoin Cash, DOGE, Dash, Litecoin, Zcash, Bitcoin Gold, QTUM, and Ripple.
The address associated with Bitcoin holds around 33 BTC worth $253,238 at current market rate. However, it is not confirmed that the coins were collected from scamming users.
The rise of malware
Crypto platforms and users are very lucrative targets for cyber scammers to attack with malware. Last month, Finance Magnates reported that the developers of notorious crypto jacking malware Shellbot updated it to not only mine crypto remotely but also to shut down host’s ongoing mining activities to utilize more processing power.
Another Trojan was discovered earlier this year, which was targeting Android devices to steal cryptocurrencies and fiats.