Security experts have discovered that cybercriminals are starting to use YouTube to distribute powerful malware. Cyble Research Labs researchers recently stumbled upon more than 80 videos, all with relatively small viewers and all by the same user. The videos seem to show how a bitcoin mining software works to entice viewers to download it.
The download link is in the video’s description and is provided in a password-protected archive to convince victims of its legitimacy. To further this effect, the downloaded archive comes with a VirusTotal link that shows the file as “clean” and a warning that some antivirus programs can trigger a false positive alert.
The malware itself, called PennyWise, steals all kinds of data, from system information to login credentials, cookies, encryption keys, and master passwords. It can also steal Discord tokens and Telegram sessions and continuously take screenshots. It also scans the device for potential cryptocurrency wallets, cold storage wallet data, and crypto-related browser add-ons.
After collecting them all, it compresses the data into a single file and sends it to a server controlled by the attackers. It then self-destructs.
PennyWise also has the ability to analyze its environment and make sure it’s not operating in a defensive environment. If it discovers that it is in a sandbox or that an analytics tool is running on the device, it immediately stops all its actions.
The researchers also discovered that the malware would completely shut down all operations if it discovered that the victim’s endpoint was located in Russia, Ukraine, Belarus or Kazakhstan, which gives some clues about the operators’ connectivity.
37560
