YouTube Users Are Warned About Videos That Sneakily Promotes a Password-Stealing Trojan
In April, security researchers from Fortinet talked about an ongoing campaign that was spreading an information-stealing malware called Predator the Thief. The campaign in question had been active since at least July 2018, and it was aimed at Russian-speaking users. The malware operators had bought Predator the Thief from its author on a hacking forum and were distributing it with the help of carefully crafted executable files attached to emails and posing as Word documents.
Whether this particular gang of cybercriminals is still spreading Predator the Thief is difficult to say. What we do know, however, is that there's currently another campaign. It targets a much wider range of users, and it uses a relatively unconventional infection vector.
Table of Contents
Predator the Thief attacks bitcoin enthusiasts who want to make a quick buck
The scheme is as simple as it is clever. All the crooks need to do is lure naïve users to a YouTube video and then hope that the viewers will be too tempted by the money-for-nothing scheme to notice that something's not quite right.
Despite the fact that the whole campaign has now been actively talked about for a couple of days, the video in question is still up and accessible to anyone. Having seen it, we can definitely see why some users would fall for it. It's not a mere advertisement. It's a full four-minute-long instructional video which allegedly shows how the scheme works.
Apparently, you simply download and install a tool and then enter the address of the wallet you want to drain along with some other pieces of information. The program does its magic, and a few hours later, you have an encrypted version of the all-important private key. Decrypting it takes a bit longer, but in the end, the video suggests that you will be able to make off with someone else's bitcoins with next to no effort.
And you know what the best bit is? There's a link to the private key recovery tool in the video's description.
In fact, there are three links leading to the same file hosted on three different platforms: Yandex Disk, Google Drive, and Mega. In a ham-fisted attempt to put suspicious users at ease, the video's author says that because the links lead to legitimate cloud hosting services, the file can't possibly be infected with malware. Given that you read this, you probably won't be too surprised to learn that it is.
How Predator the Thief works
The scheme was first discovered by an independent security researcher who goes by the Twitter handle @0xFrost, and the malware operation was later analyzed by Bleeping Computer.
Users who fall for the scam download a ZIP archive named Crypto World.zip which contains an innocuous-looking executable called setup.exe. This is the trojan itself, and when the experts looked at it, it had a very low detection rate on Virus Total, which goes to show that the malware authors have added some new features to their creation to make it stealthier. setup.exe extracts and drops another executable, which communicates with the Command & Control (C&C) server and takes care of the main information-stealing operation.
Out of the box, the malware is designed to steal login and other data from browsers, online gaming applications, FTP, VPN, and instant messaging clients, and two-factor authentication services. It can also use the device's web camera to take photos and record videos, scrape the clipboard, and even steal specific files. Additional modules downloaded from the C&C can further widen its capabilities.
Unfortunately, nobody knows how many people Predator the Thief has already hit and what sort of information has been pilfered. Given that the video that starts the entire infection chain is still live, however, we would advise cryptocurrency fans to be especially careful. This, mind you, is something they should already know.
Be careful of cryptocurrency-related scams
This is not the first bitcoin-related get-rich-quick scheme, and in all probability, it won't be the last. It's a shame that Google is taking so long to delete the video from YouTube, but the truth is, after it goes offline, criminals will find other ways of selling you something that sounds too good to be true and probably is. The simple fact of the matter is that if you're into cryptocurrency, you need to be constantly on the lookout for people trying to swindle you out of your money and/or data.
