Cybercriminals are starting to rely on YouTube as a way to spread powerful malware (Opens in a new tab)Security experts discovered.
Researchers from Cyble Research Labs recently found more than 80 videos, all with relatively few viewers, and all belonging to the same user. The videos seem to show how a piece of bitcoin mining software works, in an effort to convince viewers to download it.
The download link is in the video description, and it comes in a password-protected archive, to convince victims of its legality. For greater effect, the downloaded archive comes with a link to VirusTotal, the file appears as “clean”, and a warning that some antivirus programs (Opens in a new tab) May result in a false positive alert.
No false positives
The malware itself, called PennyWise, steals all kinds of data, from system information to login credentials, cookies, encryption keys and master passwords. It also steals Discord codes and Telegram sessions, and takes screenshots along the way.
Moreover, it scans the device for potential cryptocurrency wallets, cold storage wallet data, and crypto-related browser add-ons.
When it combines all of the above, it compresses it into a single file and sends it to a server under the control of the attackers. Then it self-destructs.
PennyWise is also able to analyze its surroundings and ensure that it is not operating in a protected environment. If it detects that it is in sandbox mode, or an analyzer is running on the device, it will stop all actions immediately.
The researchers discovered that the malware would stop all operations completely if it detected that the victim’s endpoint was located in either Russia, Ukraine, Belarus or Kazakhstan, providing some clues to the operators’ affiliation.