Threat Watch

Qulab Malware Being Promoted on YouTube

Being disguised as a Bitcoin generator tool through a promotional video on YouTube, Qulab malware is being dropped on users’ devices. The Qulab Malware itself has multiple functions. On the info stealer side, it is able to steal the browser history, saved browser credentials, browser cookies, saved credentials in FileZilla, Discord credentials, and Steam credentials. In some instances, it even attempts to steal .txt, maFile, and .wallet files. The malware can also monitor the Windows clipboard and then changes it when it detects different data. In this situation it looks for crypto addresses that are added and then it changes them to addresses of the attackers, then it is transferred to them through Telegram. A series of videos are uploaded by attackers as a promotion for the faulty Bitcoin generator. Included in the description of the video is a link to download the Bitcoin tool. After the link is clicked, it takes users to a page which has the setup.exe file and once it is running, the malware is dumped on their device. After it is executed it adds itself to %AppData%\amd64_microsoft-windows-netio-infrastructure\msaudite.module.exe. It can then run itself from there.


A common and smart solution is to always run some type of antivirus software. Links from unknown entities should never be followed unless they can be verified. Since antivirus software is not effective all of the time, there are indicators of compromise that can be looked for that would tip a user off that they’ve been infected with malware. Some of these include their email being accessed from unnormal IP addresses or that a user’s device is connecting to a command and control server.