Hackers use YouTube videos to trick people into installing malware

Cybercriminals have started leveraging YouTube to spread powerful malware (opens in a new tab)security experts have found out.

Researchers at Cyble Research Labs recently came across more than 80 videos, all with relatively few viewers and all belonging to the same user. The videos appear to show how bitcoin mining software works, with the aim of persuading viewers to download it.

The download link is in the description of the video, and comes in a password-protected archive, to convince victims of its legitimacy. To further add to the effect, the downloaded archive also comes with a link to VirusTotal, stating that the file is “clean” and a warning that some anti-virus programs (opens in a new tab) may trigger a false positive alert.

No false positives

The malware itself, called PennyWise, steals all kinds of data, from system information to login credentials, cookies, encryption keys and master passwords. It also steals Discord tokens and Telegram sessions, and takes screenshots along the way.

Furthermore, it scans the device for potential cryptocurrency wallets, cold storage wallet data, and crypto-related browser add-ons.

When it collects all of the above, it compresses it into a single file and sends it to a server under the attackers’ control. It then self-destructs.

PennyWise is also able to scan its environment and ensure that it is not operating in a defended environment. If it finds out that it is in a sandbox or a scan tool is running on the device, it immediately stops all actions.

The researchers found that the malware would completely halt all operations if it discovered that the victim’s device was in Russia, Ukraine, Belarus or Kazakhstan, offering clues to the operators’ affiliation.

Going through TechRepublic (opens in a new tab)

Shirley K. Rosa