Cyble Analysis Labs (CRL) specifies that the stealers similar to PennyWise and RedLine are rising and spreading by way of YouTube campaigns. Of their evaluation, they’ve recognized greater than 5,000 PennyWise Stealer executable samples within the final 3 months alone.
The ‘PennyWise stealer’ is an evasive information stealer leveraging YouTube to contaminate customers. It’s constructed utilizing an unknown crypter which makes the debugging course of tedious. It makes use of multithreading to steal consumer information and creates over 10 threads, enabling quicker execution and stealing.
The ‘RedLine stealer’ is an data stealing malware household that’s extensively marketed on the market inside underground boards.
How the Customers are Tricked?
Risk actors add video tutorials on obtain and set up specific software program and information customers to receives a commission subscriptions without cost, which methods the customers into putting in the malicious software program. The hyperlink to this software program (which is definitely malware) shall be out there within the YouTube video description.
The hyperlink will redirect to free cloud storage and file internet hosting providers like Mega, Mediafire, OneDrive, Discord, and Github, the place menace actors have hosted malicious Home windows executable information utilizing password-protected archive information. Consultants say these YouTube campaigns primarily unfold stealer and miner classes of malware.
On this case, menace actors goal customers who’re eager about getting paid subscriptions without cost similar to video games, applications, or anti-virus software program. Usually, individuals search key phrases like “software program cracks,” “keygens,” and so forth. That point, the customers are redirected to those YouTube movies which have malicious hyperlinks.
“We noticed sudden modifications within the video add frequency and the sort of movies uploaded on these YouTube channels. This led us to suspect that the YouTube channels used for these campaigns are both compromised accounts or created particularly for the aim of spreading stealer malware”, Cyble Analysis Labs.
Additional, the researchers observed YouTube channel often uploads movies associated to singing and enjoyable actions and has unexpectedly began posting movies associated to software program cracks/hacks. Additionally, these channels have 1000’s of subscribers.
Due to this fact, the menace actors are using compromised Google accounts to ship malware payloads by way of YouTube movies. So these compromised Google accounts will also be leveraged for different malicious functions, similar to internet hosting malicious information on Google Drive or can ship phishing spam emails from the sufferer’s Gmail accounts.
Suggestions
- Keep away from downloading pirated software program from unverified websites.
- Use sturdy passwords and implement multi-factor authentication wherever potential.
- Preserve updating your passwords after sure intervals.
- Use a reputed anti-virus and web safety software program bundle in your linked gadgets, together with PC, laptop computer, and cell.
- Chorus from opening untrusted hyperlinks and electronic mail attachments with out first verifying their authenticity.
- Block URLs that may very well be used to unfold the malware, e.g., Torrent/Warez.
- Monitor the beacon on the community stage to dam information exfiltration by malware or TAs.
- Allow Information Loss Prevention (DLP) Options on staff’ programs.
You may observe us on Linkedin, Twitter, Fb for every day Cybersecurity updates