The Qulab information-stealing and clipboard hijacker trojan is being propagated on YouTube via fraudulent videos about an allegedly free bitcoin (BTC) generator, BleepingComputer reports on May 29.
According to the report, security researcher Frost reached out to BleepingComputer about the trojan scam, saying that YouTube would take down the fraudulent videos when reported, but new accounts and videos would subsequently pop up with the same MO.
The videos reportedly describe a tool that lets users earn free bitcoin, with a link in the video description. The links then direct to a download for the alleged tool, which is the Qulab trojan. After downloading, the trojan actually needs to be installed in order for it to be deployed.
In addition to attempting to steal a plethora of user information, the Qulab trojan will also reportedly attempt to sneakily steal cryptocurrency for the bad actor by scanning for strings copied to the Windows clipboard which the program recognizes as crypto addresses, and then substituting in the attacker’s address instead.
If a user pastes that string into a website field to specify where their funds are spent, they will paste in the attacker’s string instead and direct the funds there.
The warning indicates that this is a viable strategy, since users are reportedly unlikely to remember or visually register that their intended crypto address — a long string of characters — has been swapped out for a different one.
According to a report by Fumko, there is a long list of crypto addresses the trojan can recognize, including ones for bitcoin, bitcoin cash, cardano, ether, litecoin, monero, and more.
As previously reported YouTube purportedly advertised malware disguised as an advertisement for bitcoin wallet Electrum in March. Reddit user mrsxeplatypus described the scam, predicated on URL hijacking, as follows:
“The malicious advertisement is disguised to look like a real Electrum advertisement […] It even tells you to go to the correct link (electrum.org) in the video but when you click on the advertisement it immediately starts downloading the malicious EXE file. As you can see in the image, the URL it sent me to is elecktrum.org, not electrum.org.”