Cryptocurrency Scammers Uses Youtube For Promotion
Are you a cryptocurrency enthusiast and loves watching Youtube videos about Bitcoins and other cryptocurrencies? If yes, then be very alert about Youtube channels you visit. Youtube, being the home of millions of content creators and online video consumers is teeming with scammers and phishers. Google has for quite some time is now actively taking down the videos hosting malicious links in the description portion of the video and even the entire Youtube channel. However, campaigns in Youtube promoting “Bitcoin generator” programs which claim as an easy way of creating bitcoins painlessly continue to rise one after another.
The Bitcoin generator tool is nothing but an espionage program that steals user information from the computer upon its execution. Videos promoting bitcoin generator website named freebitco.in continue to get re-uploaded on another Youtube channel once Google takes it down. Upon close inspection by researchers, the payload uses the infamous Qulab espionage trojan, which installs itself to Windows under the directory: %AppData%amd64_microsoft-windows-netio-infrastructure under the file named msaudite.module.exe. The payload once installed in the system is able to gather information from .wallet files (cryptocurrency wallets), gather text information and save it to .txt files, browser persistent cookies, login credentials stored in the cache of Steam, FileZilla and Discord. Qulab trojan is also loaded with the capability to steal the information from the Windows clipboard, then immediately switch it with different data, which is useful when it comes to capturing cryptocurrency transfers.
Bitcoin generator, though using the name of Bitcoin supports the theft of other cryptocurrency aside from BTC. The following cryptocurrencies are also targeted by Bitcoin generator to monitor transactions with:
- Bitcoin Gold
- Yandex Money
- Bitcoin Cash
- Steam Trade Link
An extensive blog post on fumik0.com is posted which provides all the details on how Qulab performs its “magic” of stealing information beyond the scope of this article. According to fumik0.com, a more advanced version of Qulab has more capabilities beyond cryptocurrency wallet theft and other common keylogging techniques. Some of which are:
- Browser stealing
- Wallet Clipper
- FTP creds
- Discord / Telegram logs
- Steam (Session / Trade links / 2FA Authenticator by abusing a third party software)
- Telegram Bot through a proxy
Qulab is a sophisticated trojan, as it was developed under a combination of modules programmed in Delphi, C, .NET and C++, which fumik0.com calls an exotic malware. Following the template set by AutoIT scripts (sold in the Dark Web), which automates trojan development through code-reuse or code-recycling. Fumik0.com opened a GitHub page where a working proof-of-concept explaining the fundamentals of AutoIT is explained. “These libraries have been written to allow easy integration into your own scripts and are a very valuable resource for any programmer,” explained fumik0.com.
The authors of Qulab provided a module within the malware code for itself to perform a “garbage collection” algorithm to bypass detection. With an entourage of features, Qulab uses a lot of memory, hence such portion of memory cannot be used by the operating system and other programs. With memory capacity reaching its full utilization, Windows will be forced to use the hard drive as virtual memory, which will be felt by end-users as the computer’s performance takes a hit.