Cyber Security News

Hackers Exploiting YouTube to Spread Malware That Steals Browser Data

Malware actors leverage popular platforms like YouTube and social media to distribute fake installers. Reputable file hosting services are abused to host malware and make detection challenging. 

Password protection and encoding techniques further complicate analysis and evade early sandbox detection. Once a system is compromised, malware can steal sensitive data from web browsers by exploiting credential storage mechanisms. 

URL hosted in YouTube’s comment sectionURL hosted in YouTube’s comment section
URL hosted in YouTube’s comment section

Info stealers are distributed through deceptive tactics such as fake software installers, whose download links can be found on fake websites or social media platforms. 

One common technique is for malicious actors to pose as helpful guides on video-sharing platforms and trick users into clicking on links in the description or comments that lead to download pages for the fake installers. 

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

File hosting services such as Mediafire and Mega.nz are also used to obscure the download source and make detection more difficult. Info stealers can be disguised as cracked software, appearing in search engine results when users look for pirated software.

Download link of a fake installer hosted in media sharing site

An analysis revealed an adversary leveraging various platforms to distribute malicious software that include OpenSea (an NFT marketplace), SoundCloud (a music-sharing platform), and potentially others. 

The attackers employed techniques such as shortened links (likely to evade scraping and analysis) and password-protected downloads (to hinder initial sandbox analysis). 

Following the deobfuscation of a batch file, an AutoIt script was constructed and run after it was triggered by the execution of a large installer that was 900 megabytes in size. 

Other entries in the same account showing potential hosted fake installers

The script dropped files, injected code into legitimate binaries, and stole browser credentials by leveraging DGA to communicate with its command-and-control servers, demonstrating its ability to evade detection and maintain persistence.

A trojanized installer disguised as legitimate remote desktop software (rustdesk.exe) is downloaded from a known file hosting site. The user unpacks the file with a password and executes the installer. 

The installer injects malicious code into legitimate processes (more.com, StrCmp.exe, SearchIndexer.exe, and explorer.exe) to evade detection and drops additional malware. 

It also creates autorun registry entries and scheduled tasks to ensure persistence and communicates with the C&C server to download more malware. 

Injected explorer connecting to C&C address

According to Trend Micro, the campaign leverages a diverse arsenal of info stealers (LUMMASTEALER, PRIVATELOADER, MARSSTEALER, AMADEY, PENGUISH, VIDAR) to evade detection. 

Attackers employ various tactics, including utilizing large files to bypass sandbox analysis, encrypting payloads with password-protected ZIP archives to hinder content scanning, and distributing malware through legitimate file-sharing platforms and shortened URLs to impede proactive detection. 

To combat evolving social engineering threats and advanced evasion tactics like DLL sideloading, process injection, and file obfuscation, organizations must implement a multi-layered defense. 

It includes user education to recognize and avoid phishing attempts, continuous threat hunting to proactively identify and respond to emerging threats, and leveraging an MSSP for expert threat intelligence and managed security services. 

By combining these measures with proactive monitoring and advanced detection capabilities, organizations can enhance their security posture and minimize the impact of sophisticated cyberattacks.

Find this News Interesting! Follow us on Google NewsLinkedIn, and X to Get Instant Updates!

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges in Organizational Environments

A startling discovery by BeyondTrust researchers has unveiled a critical vulnerability in Microsoft Entra ID…

1 day ago

Threat Actors Exploit Google Apps Script to Host Phishing Sites

The Cofense Phishing Defense Center has uncovered a highly strategic phishing campaign that leverages Google…

1 day ago

Dadsec Hacker Group Uses Tycoon2FA Infrastructure to Steal Office365 Credentials

Cybersecurity researchers from Trustwave’s Threat Intelligence Team have uncovered a large-scale phishing campaign orchestrated by…

1 day ago

Beware: Weaponized AI Tool Installers Infect Devices with Ransomware

Cisco Talos has uncovered a series of malicious threats masquerading as legitimate AI tool installers,…

1 day ago

Pure Crypter Uses Multiple Evasion Methods to Bypass Windows 11 24H2 Security Features

Pure Crypter, a well-known malware-as-a-service (MaaS) loader, has been recognized as a crucial tool for…

1 day ago

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges

A recent discovery by security researchers at BeyondTrust has revealed a critical, yet by-design, security…

1 day ago