It was reported that a malware campaign running on YouTube was promoting itself as a free “bitcoin generator” that gave users free BTC when it actually installed itself on the users’ computers to steal their private data.
The malware was found by a security researcher Frost, which had been monitoring the progress of the campaign over the last two weeks and discovered other cryptocurrency-based malware activating on YouTube.
Frost noticed that each time a ‘free bitcoin’ video was taken down by YouTube, the video would be reuploaded again by its creators under a newly created account.
All videos on their description have their link to download a file as quoted
"Download soft http://pc(.)cd/OzvrtalK" Link is identical on all videos.
— Frost (@x42x5a) May 27, 2019
The purpose of the scammers is to convince people to download the ‘bitcoin generator’ from the link in the video description, which is listed alongside a popular bitcoin faucet. But after the file is downloaded and installed, the users actually get the Qulab Trojan installed on their computer.
The malware then tries to take any personal data found in the computer it infected, such as browser history, saved browser passwords, etc. The malware also looks into .txt and .wallet files, probably looking to get the private keys and seed phrases of crypto wallets.
It has also been reported that the Qulab Trojan also monitors Windows’ clipboards to steal their contents. This allows the hackers to replace the bitcoin address which the user copied in order to send a payment with their own address.
As a wallet address is a long line of random numbers, most people just copy and paste them without checking and they may end up unknowingly sending coins to the malware creators. According to an analysis performed by Fumko, the malware is able to identify addresses from nay crypto wallets, such as BTC, BCH, ETH, NEO, XMR, ADA, LTC, DOGE, and many others.
YouTube was also used in the past to promote an illicit version of the popular Electrum wallet, which was actually a BTC phishing scheme.
Featured Image: MakeUseOf