A recent trend picked up by threat actors includes creating malware and phishing websites for mass infection. But how do they carry out this? These campaigns are actually being run on YouTube, an all-favorite video streaming website.
The target audience for these videos are people looking for step-by-step tutorials for downloading cracked versions of popular paid softwares. The video tutorials fool the watchers into installing information stealer malware from the link that is provided in the video description under the guise of helping them crack their desired software.
But what is an info stealer? It is malicious software that seeks to steal private data from a promised device including passwords, cookies, autofill information from browsers, and cryptocurrency wallet information.
Info-stealing campaigns have been seen in the past as well where Pennywise and Redline stealer malware were used. What’s common in these campaigns is that the threat actor hosts the malicious files on a free file hosting platform and thus successfully tricks the user into downloading the files containing malware from a seemingly legitimate website.
In the case of the YouTube video lure, the threat actor has created phishing pages that mimic legitimate websites which are widely known for providing services to users for downloading various softwares, games, and other tools.
In the examples of the four campaigns identified by Cyble Research & Intelligence Labs (CRIL) in their report, Vidar stealer malware and RecordBreaker stealer stand out. The researchers have called it a “massive YouTube campaign.”
Vidar stealer was first observed in December 2018 and is a variant of the Arkei infostealer. Threat actors can reportedly purchase Vidar in online forums for $250 and it can be used to steal credit cards, usernames, passwords, and files as well as take screenshots of the user’s desktop.
The malware can also steal wallets for cryptocurrencies such as Bitcoin and Ethereum. Vidar also targets two-factor authentication (2FA), an additional security layer for user accounts.
RecordBreaker stealer also known as the Raccoon malware has been offered as malware-as-a-service on various cybercrime forums since the beginning of 2019. The Raccoon Stealer group, however, was disbanded in March 2022 as a result of the death of one of its senior developers in the Ukraine-Russia war.
But soon after, in June 2022, a new version of the Raccoon stealer surfaced and was identified in the wild by the researchers at Sekoia. Despite being initially named “Recordbreaker”, the malware was soon found to be a revived version of Raccoon stealer. The developer of this malware (MaaS) is very active on underground forums, regularly updating the malware and posting about the new feature builds on the forum.
There is a long list of softwares, games, ROBLOX scripts, cheats, and plugins targeted by the threat actors to deliver stealers and it can be found on Cyble’s blog post here.
As we witness an increase in social media scams as of late, we recommend our readers undertake the following practices to keep themselves and their devices safe:
- Update your passwords after certain periods of time.
- Use strong passwords for all accounts and enforce 2FA wherever possible.
- Monitor the beacon on the network level to block data exfiltration by malware or TA.
- Keep your devices secure by using a reputed antivirus and internet security software package.
- Never open any untrusted links and email attachments until you have made sure they are authentic.
- Do NOT download pirated software from unverified sites. Always double-check that the website you are using is legitimate.
- New YTStealer Malware is Hijacking YouTube Channels
- YouTube deletes 2 million channels and 51 million videos over scams
- Google details cookie stealer malware campaign targeting YouTubers
- OnionPoison – Fake Tor Browser Installer Spreads Malware Via YouTube
- YouTube scammers impersonated Elon Musk, SpaceX; stole $150k in BTC