Cybercriminals have begun to lean on YouTube as a means of distributing potent malware (opens in new tab), security experts have discovered.
Researchers from Cyble Research Labs recently stumbled upon more than 80 videos, all with relatively few viewers, and all belonging to the same user. The videos seem to demonstrate how a piece of bitcoin mining software operates, in an attempt to persuade viewers to download it.
The download link is found in the video’s description, and comes in a password-protected archive, to convince victims of its legitimacy. To further add to the effect, the downloaded archive also comes with a link to VirusTotal, showing the file as “clean”, and a warning that some antivirus programs (opens in new tab) might trigger a false positive alert.
No false positives
The malware itself, called PennyWise, steals all kinds of data, from system information, to login credentials, cookies, encryption keys and master passwords. It also steals Discord tokens and Telegram sessions, and takes screenshots along the way.
Furthermore, it scans the device for potential cryptocurrency wallets, cold storage wallet data and crypto-related browser add-ons.
When it collects all of the above, it compresses it into a single file and sends it over to a server under the attackers’ control. It then self-destructs.
PennyWise is also capable of analyzing its surroundings and making sure it’s not operating in a defended environment. If it discovers it’s in a sandbox, or that an analysis tool is running on the device, it will stop all actions immediately.
The researchers discovered the malware will completely stop all operations if it discovers that the victim’s endpoint is located in either Russia, Ukraine, Belarus, or Kazakhstan, offering some clue as to the affiliation of the operators.