Monday, January 13, 2025
HomeCyber Security NewsHackers Exploiting YouTube to Spread Malware That Steals Browser Data

Hackers Exploiting YouTube to Spread Malware That Steals Browser Data

Published on

Malware actors leverage popular platforms like YouTube and social media to distribute fake installers. Reputable file hosting services are abused to host malware and make detection challenging. 

Password protection and encoding techniques further complicate analysis and evade early sandbox detection. Once a system is compromised, malware can steal sensitive data from web browsers by exploiting credential storage mechanisms. 

URL hosted in YouTube’s comment section
URL hosted in YouTube’s comment section

Info stealers are distributed through deceptive tactics such as fake software installers, whose download links can be found on fake websites or social media platforms. 

One common technique is for malicious actors to pose as helpful guides on video-sharing platforms and trick users into clicking on links in the description or comments that lead to download pages for the fake installers. 

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

File hosting services such as Mediafire and Mega.nz are also used to obscure the download source and make detection more difficult. Info stealers can be disguised as cracked software, appearing in search engine results when users look for pirated software.

Download link of a fake installer hosted in media sharing site
Download link of a fake installer hosted in media sharing site

An analysis revealed an adversary leveraging various platforms to distribute malicious software that include OpenSea (an NFT marketplace), SoundCloud (a music-sharing platform), and potentially others. 

The attackers employed techniques such as shortened links (likely to evade scraping and analysis) and password-protected downloads (to hinder initial sandbox analysis). 

Following the deobfuscation of a batch file, an AutoIt script was constructed and run after it was triggered by the execution of a large installer that was 900 megabytes in size. 

Other entries in the same account showing potential hosted fake installers
Other entries in the same account showing potential hosted fake installers

The script dropped files, injected code into legitimate binaries, and stole browser credentials by leveraging DGA to communicate with its command-and-control servers, demonstrating its ability to evade detection and maintain persistence.

A trojanized installer disguised as legitimate remote desktop software (rustdesk.exe) is downloaded from a known file hosting site. The user unpacks the file with a password and executes the installer. 

The installer injects malicious code into legitimate processes (more.com, StrCmp.exe, SearchIndexer.exe, and explorer.exe) to evade detection and drops additional malware. 

It also creates autorun registry entries and scheduled tasks to ensure persistence and communicates with the C&C server to download more malware. 

Injected explorer connecting to C&C address
Injected explorer connecting to C&C address

According to Trend Micro, the campaign leverages a diverse arsenal of info stealers (LUMMASTEALER, PRIVATELOADER, MARSSTEALER, AMADEY, PENGUISH, VIDAR) to evade detection. 

Attackers employ various tactics, including utilizing large files to bypass sandbox analysis, encrypting payloads with password-protected ZIP archives to hinder content scanning, and distributing malware through legitimate file-sharing platforms and shortened URLs to impede proactive detection. 

To combat evolving social engineering threats and advanced evasion tactics like DLL sideloading, process injection, and file obfuscation, organizations must implement a multi-layered defense. 

It includes user education to recognize and avoid phishing attempts, continuous threat hunting to proactively identify and respond to emerging threats, and leveraging an MSSP for expert threat intelligence and managed security services. 

By combining these measures with proactive monitoring and advanced detection capabilities, organizations can enhance their security posture and minimize the impact of sophisticated cyberattacks.

Find this News Interesting! Follow us on Google NewsLinkedIn, and X to Get Instant Updates!

Latest articles

PoC Exploit Released for Critical macOS Sandbox Vulnerability (CVE-2024-54498)

A proof-of-concept (PoC) exploit has been publicly disclosed for a critical vulnerability impacting macOS...

IBM Robotic Process Automation Vulnerability Let Attackers Obtain Sensitive Data

A newly disclosed security vulnerability in IBM Robotic Process Automation (RPA) has raised concerns about potential...

Credit Card Skimmer Hits WordPress Checkout Pages, Stealing Payment Data

Researchers analyzed a new stealthy credit card skimmer that targets WordPress checkout pages by...

Furry Hacker Breaches Scholastic – Exposes Data of 8 Million People

The education and publishing giant Scholastic has fallen victim to a significant data breach...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

PoC Exploit Released for Critical macOS Sandbox Vulnerability (CVE-2024-54498)

A proof-of-concept (PoC) exploit has been publicly disclosed for a critical vulnerability impacting macOS...

IBM Robotic Process Automation Vulnerability Let Attackers Obtain Sensitive Data

A newly disclosed security vulnerability in IBM Robotic Process Automation (RPA) has raised concerns about potential...

Credit Card Skimmer Hits WordPress Checkout Pages, Stealing Payment Data

Researchers analyzed a new stealthy credit card skimmer that targets WordPress checkout pages by...