Vidar malware spreading via the fake cryptocurrency trading site

Crypto-stealing malware delivered via the cloned cryptocurrency trading website

Crypto-stealing trojans spread through cloned cryptocurrency trading site.

Warning! The fake cryptocurrency trading website, posing as a legitimate service, is found to deliver crypto-stealing malware.^[1] Trojans, which are set to collect information and cryptocurrency, are distributed via the site that impersonates CryptoHopper trading platform which allows users to build models that can be used for automated trading of cryptocurrency in various markets. To fake the legitimacy, the site even shows a CryptoHopper logo. This new malware campaign was reported by malware researcher Fumik0_^[2]

A replica of the CryptoHopper trading platform is designed to download Setup.exe file once the page is visited. Additionally, it delivers malware known as Vidar^[3] and two Qulab trojans, cryptocurrency miner and clipboard hijacker, which are set to clipboard hijacking and crypto-stealing purposes.

According to initial reports, the main goal of these threats is cryptocurrencies:

Vidar behind a fake CryptoCurrency trading software with a fancy website (4962c0afb925d23013f6c80433f0a453), pushing also two Qulab Variants (Clipper only & Miner variant). An example among other about the aggressive focus on Cryptocurrencies these days.

Information-stealing Vidar gets into the system as a primary payload

When the duplicated trading platform gets opened, the Setup.exe^[4] file gets automatically downloaded on the machine. This way, Vidar information-stealing Trojan comes to the system. Then, Vidar downloads additional malware and files needed for the later processes:

• required libraries;
• a QuLab trojan for the crypto mining purpose;
• a QuLab trojan for clipboard hijacking.

Malware schedules some tasks to be sure about its persistence. Executables, which are needed to start clipper and miner processes, run every minute. All the activities launched on the infected device focus on cryptocurrency. However, QuLab malware was recently promoted on YouTube and distributed online to steal browser credentials.^[5].

The clipboard is designed to steal cryptocurrency wallet addresses (people often copy them instead of entering one character at the time since these are long and complicated). Additionally, QuLab detects these copied addresses and substitutes them with the ones under their control to steal the cryptocurrency from that wallet. According to reports, different transactions of Ripple, Litecoin, Dash, Bitcoin, and Ethereum were made in this campaign.

Numerous types of sensitive data are collected

When all the additional processes get launched on the system, Vidar malware starts its own campaign during which malware collects data from the device and stores that in the particular directory under the %ProgramData% folder. The stolen information, later on, gets uploaded to remote server and can be collected by other attackers. Once criminals get the information, all the data gets deleted from the directory, leaving folders empty.

Vidar trojan targets:

• browser cookies;
• browsing history;
• payment details;
• cryptocurrency wallet information;
• text files;
• auto-fill data;
• screenshots of the desktop during the infection;
• two-factor authenticator databases.

The original CryptoHopper trading platform users can go to this duplicated site without the knowledge, and due to the stolen 2FA credentials, attackers can access their CryptoHopper information and take cryptocurrency.

Unfortunately, this is not the only incident when the website gets created, mainly to push malware. Fake software promotions, sites impersonating other pages and services become common. One of those, Pirate Chick was recently used to deliver AZORult trojan that steals passwords.^[6]