New ‘Free Bitcoin’ Cryptocurrency Malware Campaign Found on YouTube

[Magician]

A security researcher has recently found a cryptocurrency-related malware campaign running on YouTube, that uses videos to promote a free “bitcoin generator” that promises users free BTC, but in reality installs malware on their devices.

According to Bleeping Computer, the campaign was discovered by security researcher Frost, which has been tracking it for the last two weeks and has discovered other cryptocurrency-related malware on the popular video-sharing platform.

 #Fake @YouTube pushing Malware.

All videos on their description have their link to download a file as quoted

"Download soft http://pc(.)cd/OzvrtalK" Link is identical on all videos.

Malware does Exfiltration by Telegramhttps://t.co/jsTjrct0qF pic.twitter.com/kR9lK0BO8D

— Frost (@x42x5a) May 27, 2019
Per the news outlet, Frost claimed that every time a user reports the ‘free bitcoin’ videos YouTube takes them down, although the bad actors behind them simply create a new account and upload them once again.

The bad actors try to trick users into downloading the ‘bitcoin generator’ linked to in the videos’ descriptions, while also linking to a popular bitcoin faucet. Once a user downloads the file and runs it on their device, the Qulab Trojan is installed.

The malware essentially tries to steal information from the users’ machines, including their browser history, saved browser credentials, and more. It also searchers their devices to steal .txt and .wallet files, presumably to gain access to cryptocurrency wallets.

Moreover, the Qulab Trojan reportedly monitors Windows’ clipboards to hijack their contents. This means that if a user copies a bitcoin address, an action often made to send or request a payment, Qulab replaces it with an address belonging to the bad actors.

As users often don’t check address they copy and paste, they may send payments to the bad actors without realizing it. Per analysis conducted by Fumko, the malware can detect addresses from various cryptocurrencies, including BTC, BCH, ETH, ADA, NEO, XMR, LTC, DOGE, and more.

Notably this isn’t the first type of malware that replaces copied addresses to steal users’ funds. A malware dubbed ClipboardWalletHijacker managed to infect over 300,000 computers throughout the world to do the same thing. Security researchers have, in fact, warned that cybercriminals are monitoring over 2.3 million cryptocurrency addresses using clipboard hijackers.

YouTube itself has in the past inadvertently promoted an illegitimate version of the popular Electrum bitcoin wallet, as a scammer was trying to separate users from their BTC through a phishing scheme.

Source