Cyber criminals rely on YouTube as a means of spreading powerful malware (opens in new tab)security experts have discovered.
Researchers at Cyble Research Labs recently came across more than 80 videos, all with relatively few viewers and all from the same user. The videos appear to show how a piece of bitcoin mining software works, trying to convince viewers to download it.
The download link can be found in the description of the video and is provided in a password-protected archive to convince victims of its legitimacy. To further enhance the effect, the downloaded archive also contains a link to VirusTotal, which lists the file as “clean”, and a warning that some antivirus programs (opens in new tab) may cause a false positive warning.
No false positives
The malware itself, called PennyWise, steals all kinds of data, from system information to login credentials, cookies, encryption keys and master passwords. It also steals Discord tokens and Telegram sessions and takes screenshots along the way.
In addition, it scans the device for possible cryptocurrency wallets, cold storage wallet data, and crypto-related browser add-ons.
When it collects all of the above, it compresses it into a single file and sends it to a server under the control of the attackers. It then destroys itself.
PennyWise is also able to analyze his environment and make sure he is not working in a defended environment. If it discovers that it is in a sandbox, or that an analytics tool is running on the device, it will stop all actions immediately.
The researchers found that the malware completely halts all operations if it detects that the victim’s endpoint is in Russia, Ukraine, Belarus or Kazakhstan, giving a clue about the operators’ links.
Via TechRepublic (opens in new tab)