Cybercriminals have been found targeting YouTube users with information-stealing malware to wipe their system data. Researchers at the Cyble Research & Intelligence Labs (CRIL) found a phishing campaign that starts with links in YouTube video tutorials that offer free versions of otherwise paid software. The YouTube info stealer was found camouflaged in over a hundred legitimate apps and games and installing them led to a data breach. The data was sent to the hacker’s command and control (C&C) server.
Users who were looking for cracked software, keygens to open software illegally, plugins, Roblox scripts, and cheats on a search engine such as Google were directed to YouTube. There they would find video tutorials with fake links to game hacks or cheats clicking which the info stealer would start working in the background. Researchers noted that the stealer log or the stolen data could be manipulated in multiple ways causing harm to the user such as selling on cybercrime marketplaces, furthering their access using connected accounts, targeting connected corporate networks, etc.
The hackers largely used the Vidar and RecordBreaker stealer, which is known to copy bank data, saved passwords, IP addresses, browser history, login data, crypto wallets, etc. CRIL researcher found that one of the videos had over 18,000 views which pointed towards the number of users that might have used the links and been duped. The cybercriminal managed to post comments under the videos to convince the users of its legitimacy.
Details of the YouTube info stealer campaign
The hackers used well-known names of websites, scripts, cheats, and plugins to lure users. A cheat was found for downloading Kiddions modest menu and the plugins included Sapphire and Twixtor. The binaries used were mostly in the form of droppers or downloaders for the payloads.
The websites that were used to host the malicious YouTube videos were:
- hxxps://teensoft[.]org/
- hxxps://wh1tesoftware[.]me/
- hxxps://soft-exp[.]org/
- hxxps://appshigha[.]com/
Names of the legitimate websites used included:
- MS Office
- Spotify premium 2022
- Adobe software
- CCleaner PRO
- AutoCAD
A list of some of the software the presently unknown cybercriminals used to pose as legitimate users were:
- DaVinci resolve
- FL studio
- Lumion 12 pro
- Voicemod pro
- iCloud bypass iOS 15
Some of the gaming software names that the hackers used were:
- Marvel’s spider man
- Wanderer download
- Far cry 6
- Elden ring
- Rust hack
- GTA online mod menu
- Valorant hack
- Warzone hack
Roblox scripts that were used included:
- Prison life
- Arch piece
- Tatakai V.2
- Telekinesis
- Viet nam piece
- Apocalypse rising 2
- Raise a floppa