Malware distributors have created a new website that impersonates the legitimate Cryptohopper trading platform in an attempt to distribute malware. Cryptohopper is a legitimate trading platform that allows users to trade cryptocurrency on several markets. In this new campaign, attackers have mimicked the legitimate site that automatically downloads an executable file that deploys without the user’s input. The executable file uses the Cryptohopper logo as its icon to make it seem more legitimate but is actually an information stealing trojan. When the file is downloaded it installs two trojans. The first one acts as a cryptocurrency miner and the other acts as a clipboard hijacker. In an effort to add persistence, scheduled tasks are created to launch the clipboard hijacker every minute. The information that the information-stealing trojan looks for is the user’s browser cookies, history, payment information, login credentials, cryptocurrency wallets, text files, two-factor identification databases, and several other files. The information is then uploaded to a server that is controlled by the attackers.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased