Cybercriminals have set up a fake Cryptohopper trading platform to distribute different kinds of malware. The malicious payloads include information-stealing trojans, miners and clipboard hijackers. Accordingly, once the visitor opens the fake site, a malicious executable ‘Setup.exe’ gets automatically downloaded onto the system. This ‘Setup.exe’ uses the Cryptohopper logo as its icon to fool users and evade detection. However, it is actually a variant of Vidar information-stealing trojan, BleepingComputer said, in a report.
When executed, the variant of Vidar trojan downloads installs two Qulab trojans. While one Qulab trojan acts as a miner, the other acts as clipper or clipboard hijacker. Scheduled tasks are created on the victim’s system that can enable attackers to launch clipper and miner executable every minute.
The executed Vidar trojan variant begins its malicious activities by collecting data from machines and compiling it under a random directory in the %ProgramData% folder. The data that are stolen by the Vidar variant includes browser cookies, browser history, saved login credentials, browser payment information, cryptocurrency wallets, text files and a screenshot of the desktop.
The collected data is then uploaded to a remote server controlled by the attackers.
The clipper-Qulab trojan is capable of copying cryptocurrency addresses. This happens when a user copies the address from the Windows clipboard and then pastes it in another application to transfer the cryptocurrency. The trojan is capable of affecting users that trade using Ethereum, Bitcoin, Bitcoin Cash, DOGE, Dash, Litecoin, Zcash, Ripple, QTUM and Bitcoin Gold.