Users be warned: a new scam campaign uses YouTube videos to promote a so-called free Bitcoin generator tool which, in reality, is a Qulab Trojan virus.
Fraudulent videos on YouTube trick potential victims into downloading the info-stealing Qulab Trojan disguised as a free “Bitcoin generator” tool, according to BleepingComputer.com.
Based on the report, the said videos promote a free tool that will let users earn Bitcoin (BTC) for free. Users who will click on the link in the video description will be redirected to a download page. Potential victims will then be instructed to download the Setup.exe file.
Once users execute the file, the Trojan will be installed on the computer and will begin performing actions that will steal different kinds of user data and compromise cryptcurrency wallets.
Bleeping Computer reported:
“The payload being pushed by this YouTube scam is the Qulab information-stealing and clipboard hijacker Trojan. When executed, the Trojan will copy itself to %AppData%\amd64_microsoft-windows-netio-infrastructure\msaudite.module.exe and launch itself from that location.”
The Trojan will attack the user’s browser history, cookies, saved credentials for various websites, including Discord, Steam, and FileZilla. It can also steal files from various directories, specifically .txt, .maFile, and .wallet files.
Other than stealing data, the Qulab Trojan also steals cryptocurrency assets by accessing the clipboard to look for crypto wallet addresses. What the Trojan does is it detects the strings of text or crypto addresses copied to the clipboard, then swapping in the attacker’s wallet address for the copied address.
This means when a victim uses the infected computer to send coins to another wallet, the coins will go straight to the attacker’s wallet instead.
Other crypto assets vulnerable to the Trojan are the following: Bitcoin Gold (BTG), Bytecoin (BCN), Lisk (LSK), Dash (DASH), Dogecoin (DOGE), Electroneum (ETN), Graft (GRFT), Neo (NEO), QIWI, Qtum (QTUM), Steam Trade Link, Stratis (STRAT), VIA, WME, WMR, WMU, WMX, WMZ, Waves (WAVES), Yandex Money, and ZCash (ZEC).
Users whose computers have been infected with the Qulab Trojan should change their passwords for all their accounts online.