A scam and malware campaign is underway on YouTube that uses videos to promote a “bitcoin generator” tool that promises to generate free bitcoins for its users. In reality, this scam is pushing the Qulab information-stealing and clipboard hijacking Trojan.
This campaign was discovered by security researcher Frost who told BleepingComputer that they have been tracking it for the past 15 days. Each time Frost reports the user and their videos, YouTube takes them down, but the bad actors simply create a new user and upload more.
The way this campaign works is the bad actor will upload a series of videos that promote a so-called free “bitcoin generator” tool.
In the videos description will also be links to download this tool, which is actually a Trojan, and a link for the https://freebitco.in site as shown below.
When a user clicks on the download link in these videos, they will be brought to a page offering a Setup.exe file.
If the a victim downloads and runs the Setup.exe file, the Qulab Trojan will be installed onto the computer.
The Qulab payload
The payload being pushed by this YouTube scam is the Qulab information-stealing and clipboard hijacker Trojan. When executed, the Trojan will copy itself to %AppData%amd64_microsoft-windows-netio-infrastructuremsaudite.module.exe and launch itself from that location.
According to this writeup on Qulab by Fumko, Qulab will attempt to steal the browser history, saved browser credentials, browser cookies, saved credentials in FileZilla, Discord credentials, and Steam credentials. The Trojan also contains code to steal .txt, .maFile, and .wallet files from a computer.
Finally, Qulab also acts as a clipboard hijacker, or clipper, which means it will monitor the Windows clipboard for certain data, and when detected, swaps it with different data that the attacker wants. In this particular case, Qulab is looking for cryptocurrency addresses that have been copied into the Clipboard, in many cases because a user is about to send currency to the address, and swaps it out with a different address under the attacker’s control.
As cryptocurrency addresses are long strings and hard to remember, many users would not even know that the address they copied to the clipboard has been changed to a different address when they paste it into an application of web site. This allows the attackers to steal the cryptocurrency that is sent to their addresses.
Fumko’s analysis states that Qulab supports the following Cryptocurrency addresses for the clipper component:
| Bitcoin | Bitcoin Cash | Bitcoin Gold | Bytecoin |
| Cardano | Lisk | Dash | Doge |
| Electronium | Ethereum | Graft | Litecoin |
| Monero | Neo | QIWI | Qtum |
| Steam Trade Link | Stratis | VIA | WME |
| WMR | WMU | WMX | WMZ |
| Waves | Yandex Money | ZCash |
When compiling the stolen data, the Trojan will send it to the the attacker using Telegram as shown below.
If you have been infected with this Trojan, you should immediately change all passwords for your financial accounts and web sites that you visit. As always, you should use a password manager in order to create unique and strong passwords for every account you visit.
