YouTube bots have been on the scene for a while. Many YouTubers frequently use these computer codes to boost the view count on videos and accounts in order to improve their ranking in the YouTube algorithm. A new bot steals sensitive data from YouTube users’ accounts, found researchers.
Like all YouTube bots, this too has the ability to engage in actions like viewing, liking, and commenting on YouTube videos. It is also capable of stealing sensitive information from browsers and serving as a bot that receives instructions from a Command and Control (C&C) server for other nefarious purposes.
YouTube bot malware
Cyble researchers unearthed the workings of this information-stealing YouTube bot malware using the sample hash (SHA256) e9dac8b677a670e70919730ee65ab66cc27730378b9233d944ad7879c530d312. They found that it is a 32-bit executable file and has been made using .NET compiler.
It needs four argument strings such as a video ID for a unique ID of a YouTube video, video duration, like being set to true to like a video, and comment that leaves a comment for a video.
The malware detects threats in the environment using DetectVM() to evade detection. It searches for VMware and VirtualBox. Only after ensuring that no threat to the malware is detected does it starts working, based on its program using the argument strings.
An image showing the antiVM check done by the malware (Source: Cyble)
Next, the malware searches for running processes with the mutex name ‘sm’, calls the DeleteProcessesByMutexName() method and stops them using the taskkill command. If the malware finds that the executable is running from the %appdata% directory, it creates a new mutex in sm:<current process id> format.
If not, the malware changes its name to AvastSecurity.exe by copying itself to the %appdata% folder only after it makes sure that the executable file is not running from the same location. After copying itself as programmed, it runs itself using ‘cmd.exe.’
A copy of itself is dropped after a mutex is created using the RegisterSceduledTask() function. It creates a task scheduler entry for the dropped copy which is used for maintaining persistence in running the malware even when the system restarts. The below image shows the task scheduler entry:
Thereafter, using the ‘AvastSecurity.exe’ file the malware starts collecting systems data such as cookies, autofill data, login credentials, etc. Researchers found these details stolen from a Chromium browser using CookieRecovery(), AutofillRecovery(), and PassRecovery() methods.
YouTubePlaywright method and YouTube videos
The YouTube bot malware calls the YouTubePlayWright.Start() method to pass previous arguments, mimics a real user who is viewing YouTube content and bypasses the security mechanism of the system. It can act on YouTube like a real user and perform tasks such as view, like, comment, dislike, etc.
To add more views to a YouTube video the bot malware goes to the URL using the page.GotoAsync() method, finds the play button using the page.Locator() method and clicks open the video using the ClickAsync() method.
After the programmed tasks are performed, the YouTube bot malware connects to the command and control (C&C) server using the ConnectToServer(). While doing so, it passes the IP, Port, and Webclient as an argument. It receives commands after calling the OnServerMessageReceived() function from the C&C server.
The selfDestruct command leads the malware to delete the scheduled tasks and terminate its process. The getLog command helps send the log file with details about the bot version, server connection status, etc., to the C&C server. The downloadAndRun command leads to the download and execution of other files as programmed by the cybercriminal.
An image showing the commands run by the malware to perform specific tasks (Source: Cyble)
MITRE ATT&CK® techniques
Tactic | Technique ID | Technique Name |
1. Execution | T1204 T1047 T1059 |
User Execution Windows Management Instrumentation Command and Scripting Interpreter |
2. Persistence | T1053 | Scheduled Task/Job |
3. Privilege Escalation | T1055 | Process Injection |
4. Defense Evasion | T1036 T1562 T1497 |
Masquerading Disable or Modify Tools Virtualization/Sandbox Evasion |
5. Credential Access | T1003 | OS Credential Dumping |
6. Discovery | T1057 T1082 T1518 |
Process Discovery System Information Discovery Security Software Discovery |
7. Collection | T1005 | Data from Local System |
8. Command and Control | T1071 T1105 |
Application Layer Protocol Ingress Tool Transfer |
(Source: Cyble)