Malware distributors have setup a site that impersonates the legitimate Cryptohopper cryptocurrency trading platform in order to distribute malware payloads such as information-stealing Trojans, miners, and clipboard hijackers.
Cryptohopper is a trading platform where users can build models that will be used for automated trading of cryptocurrency on various markets.
In a new campaign discovered by malware researcher Fumik0_, attackers have created a replica of the Cryptohopper trading platform site that when visited will automatically download a Setup.exe executable as shown below.
This Setup.exe executable uses the CryptoHopper logo as its icon to make it seem like a legitimate offering from the trading platform, but is actually the Vidar information-stealing Trojan.
When executed, this Vidar variant will download required libraries and then install two Qulab trojans; one that acts as a miner and the other that acts as a clipper, or clipboard hijacker.
Due to the nature of the impersonated site, the potential for stolen credentials and 2 factor authentication information is particularly concerning.
As Cryptohopper is a cryptocurrency trading platform, if one of their users mistakenly goes to this fake site and installs the Trojan, their Cryptohopper credentials could be stolen and used to steal cryptocurrency stored on the platform.