Crypto-stealing malware Vidar spreads via cloned cryptocurrency trading website

January 22, 2020
cryptostealing hijacking vidar malware bitcoin cryptocurrency

A malware researcher and a twitter user Fumik0_ has discovered a new website that is spreading crypto malware. This fake cryptocurrency trading website is masquerading as a legitimate service that delivers crypto-stealing malware trojan known as Vidar. This malware trojan is distributed through a site that impersonates CryptoHopper trading platform which allows users to build models that can be used for automated trading of cryptocurrency in various markets.

Vidar is a malware trojan commonly used by cyber criminals to steal various personal information from users who have computers infected with the virus. This malware is distributed mainly through Fallout exploit kit though there might also be other ways to distribute it.


This new campaign of the hackers creates an exact copy of CryptoHopper trading platform which is designed sophistically so that when users mistakenly visit the page, a Setup.exe is automatically downloaded onto their systems.


This Setup.exe uses the CryptoHopper logo as its icon to appear as a legit website from the trading platform. As soon as the Setup.exe is executed, this Vidar variant will download required libraries and then install two Qulab trojans, cryptocurrency miner and clipboard hijacker, which are set to clipboard hijacking and crypto-stealing purposes.The malware will schedule some tasks that will launch the two Trojans every one minute to be sure about its persistence.

When all the additional processes get launched on the system, Vidar malware collects data from the user’s system and compiles it under a randomly named directory in the Program Data folder. The information that is collected includes browsing history, browser cookies, saved login details, crypto wallets, payment information from browsers, text files, autofill information for browser forms, 2FA authenticator databases, screenshots of desktops and much more.

After the hacker steals these informations, the hacker will now upload this stolen information to a remote server so that it can be collected by the attackers.The Qulab Trojan, which handles clipboard hijacking, automatically replaces the attacker’s crypto wallet address on the clipboard when it detects the victim has typed in a cryptocurrency wallet address.

This attack is very sophisticated that a lot of CryptoHopper customers and visitors are tricked into providing their sensitive cryptocurrency wallet informations. Until the company has figured out the problem and provide malware protection to its customers, it’s not recommended to visit the website anytime soon.

About the author

Leave a Reply