Despite its popularity and backing by Google, YouTube isn’t always the most reputable source for gathering information. Case in point, a new video that promises users free cryptocurrency, but which is, in reality, nothing more than a scam that can lead to the installation of hijacking malware on the target computer.
Videos are being used to promote a “Bitcoin generator” tool on YouTube that purportedly shows viewers how to download and install an app to “make” free crypto. However, what happens below the surface is more nefarious. The app that has to be downloaded and installed carries the Qulab malware, known to steal information and serve as a clipboard hijacking Trojan.
A crypto security analyst who goes by the name “Frost” on Twitter posted about the malware on his feed in an effort to spread the word as rapidly as possible. He has apparently been following the activity for the past two weeks, reporting each new video to YouTube. YouTube removes the videos, but it doesn’t take long for a new one to pop up under a newly-created username.
The video contains a URL to a site that includes a downloadable Setup.exe file. If the file is successfully installed and launched, the Qulab Trojan is installed and copies itself to %AppData%\amd64_microsoft-windows-netio-infrastructure\msaudite.module.exe on the computer. This becomes its base of operations and, when launched, works its way through the computer, grabbing data from the browser history, browser credentials and cookies. It also looks for saved credentials from Steam, Discord and FileZilla, and contains code that allows it to steal any .txt, .wallet and .maFile from the computer.
Qulab also looks for the Windows clipboard. If found, it then replaces it with its own corrupted version. If a crypto wallet address is copied to the clipboard, the Qulab’s controller can swap out the address for its own and the computer user will almost never realize that a swap has been made.
The clipboard functionality works with a number of digital currencies, including Bitcoin Core (BTC), Bitcoin Cash (BCH), Cardano (ADA), Ether (ETH), Litecoin (LTC), NEO, Monero (XMR) and more. The information is gathered and then sent to the controller via Telegram.
There is no indication how extensive the malware is or if its creators have been able to steal any substantial amount of crypto. As always, computers have to exercise caution when downloading anything from the Internet and remember the old adage—if it sounds too good to be true, it probably isn’t.
New to Bitcoin? Check out CoinGeek’s Bitcoin for Beginners section, the ultimate resource guide to learn more about Bitcoin—as originally envisioned by Satoshi Nakamoto—and blockchain.