Widespread malware operations are designing YouTube videos to administrate password-hijacking Trojans to unsuspecting viewers. Passwords hijacking Trojans are the Malware that slowly runs on a computer while hijacking credentials, screenshots of active Windows, cookies, credit cards stored in browsers, FTP credentials, and arbitrary files decided by the threat actors.
When installed, the Trojan will communicate with a Command & Control server, where it waits for commands to run by the threat actor, which could bring out the running of additional malware.
Malicious YouTube Videos Gone Wild
Attackers have long utilized YouTube videos as a way to distribute malware through the embedded links in videos descriptions. However, this week has Cluster25 security researchers told our experts that there has been a significant uptick in Malware operations on YouTube inserting different credentials-hijacking Trojans.
Security researchers also told our experts that it is similarly two clusters of malicious activity being conducted simultaneously – one pushing the RedLine malware and the other pushing Racoon hijacker.
The investigator also said that thousands of videos and channels had been made as part of this enormous malware operation, with 100 new videos and 81 channels generated in just twenty minutes.
Also later explained that the threat actors utilize the Google accounts they hijack to launch new YouTube channels to spread malware, creating a never-ending and ever-growing cycle.
“The threat actors have thousands of new channels available because they infect new clients every day. As part of these attacks, they steal victim’s Google credentials, which are then used to create new YouTube Videos to distribute the malware,” Frost told our experts.
The attacks start with the threat actors creating numerous YouTube channels filled with videos about software cracks, licenses, how-to guides, cryptocurrency, mining, game cheats, VPN software, and pretty much any other popular category.
All these videos contain content that explains how to perform a task using an exact program or service. Moreover, the YouTube video’s description includes an asserted link to be associated tool utilized to distribute the malware.
If a video has a bit.ly link, then it will lead to another file-sharing site hosting the RedLine password-stealing malware infection. However, in case it includes an unshortened domain, it will redirect to a page on the tap link .cc domain to push Racoon Stealer, as given below:
Once a user is affected, the malware will process to scan all the installed browsers and the computer for cryptocurrency wallets, credit cards, credentials, and other information and upload it back to the threat actor.
Google told our experts that they are aware of the operation and are taking action to disrupt the activity.
“We are aware of this campaign and are currently taking action to block activity by this threat actor and flagging all links to Safe Browsing. As always, we are continuously improving our detection methods and investing in new tools and features that automatically identify and stop threats like this one. It is also important that users remain aware of these types of threats and take appropriate action to further protect themselves.” – Google.
Google also revealed this week a phishing campaign that distributed passwords stealing Trojans utilized to hijack the accounts of YouTube Creators. These accounts were then sold on dark web markets or utilized to execute cryptocurrency scams.
Downloading Software can be Harmful
These operations show how essential it is not to download the program from the Internet unexpectedly, as sites like YouTube cannot effectively every link added by video publishers.
Therefore, a user should research a site before downloading and installing anything from it to know if they have a good character and can be trusted. Even then, it is always suggested that you initial upload the program to a site like VirusTotal to confirm if it is safe to execute.
If you have mistakenly fallen for this attack and installed a program from the same link, it is strongly suggested that you scan your computer with an antivirus program. After you have removed any malware detected in the virus scan, you have to immediately change any passwords saved in your browsers.
