Criminals using clone crypto trading site to spread trojans
Cybercriminals are now using a fake cryptocurrency trading site to spread malware, a report by Bleeping Computer has revealed. The malware distributors have cloned the Cryptohopper website. Once a user visits the site, the criminals infect his device with trojans, cryptojacking malware and clipboard hijackers.
The new malware distribution campaign was discovered by one malware researcher who goes by Fumik0 on Twitter. Once a user visits the clone Cryptohopper website, a file, Setup.exe is automatically downloaded and executed on his device. The file uses the Cryptohopper logo to cover up its identity and keep the victims from being suspicious.
Cryptohopper is a crypto trading platform where users build models that are used for automated trading of cryptos.
Once executed, the trojan will then download more malware, installing two Qulab trojans. One of the Qulab trojans acts as a miner, while the other acts as a clipboard hijacker. The criminals further schedule the trojans, launching the miner and the clipboard hijacker every minute.
The malware then moves on to the next phase, and perhaps the most lethal one: collecting data from the device. It uploads the data on to a remote server which the criminals then access and download the data from. Some of the information that it targets include browser cookies, text files, crypto wallets, browser history, payment information, saved login credentials, form auto-fill information and two-factor authentication databases. Once this information is uploaded to the remote server, it’s deleted from a user’s device to cover up the criminals’ track.
And that’s not all. The malware also installs a clipboard hijacker, sometimes referred to as a clipper. This malware detects any text copied onto the Windows clipboard and has the ability to copy or change it. As crypto addresses are usually long and difficult to remember, most people just copy and paste them. The clipper malware targets such people, substituting the legitimate address for one that belongs to the criminals. As most people don’t check to confirm that the address is the right one, they end up sending the cryptos to the criminals.
According to the report, at press time, the criminals had amassed 1,094 XRP tokens, 4 LTC tokens, 0.1 DASH tokens, and an eye-catching 32.8 BTC tokens. Collectively, they are worth over $258,000.
The Cryptohopper website isn’t the first legitimate website that criminals have cloned so as to spread malware. Others include G-Cleaner, a fake Windows system cleaner and Pirate Chick, a fake VPN software site. Users are advised to confirm the URL of every site they visit to keep themselves safe against such tactics.
To receive the latest CoinGeek.com news, special discounts on CoinGeek Conferences and other inside information direct to your inbox, please sign up for our mailing list.