Newly discovered a powerful spyware distributed via YouTube Videos comments sections and the spyware is capable of steal files and other confidential information from infected devices.
A Malicious Link that distributed via YouTube comments focusing on a computer game called cheats and trainers related videos that make easier to play the computer games.
Cybercriminal generates a malicious link that pointed to Yandex and leaving comments to videos with a link using fake accounts. Also, these malicious links are distributed through Twitter as well.
This Spyware discovered as Trojan.PWS.Stealer.23012 that was written in Python and transformed into an executable file using py2exe.
Cyber criminal are distributing this Spyware using Telegram channel where they are trying to touch with Channel administrator and invited them to write a post on a new program which is developed by them and suggested testing it.
Spyware Infection Operation via YouTube Videos
Once it completes the infection process, it scans all the infected disk searching for saved passwords and cookies files of Chromium-based browsers.
Also, a new version of this trojan steals information from Telegram, FileZilla FTP client, later it archived all the collected data that will be stored in Yandex.Disk.
This Spyware Performing some modification and perform other malicious activities such as steals passwords and cookies files from Google Chrome, Opera, Yandex. Browser, Vivaldi, Kometa, Orbitum, Comodo, Amigo and Torch.
It Also attempts to access the Telegram account by copies the SSFN files from the config subfolder and it creates a copy of the images and documents which is stored in Desktop.
Finally, all the information packed and stored on to the cloud storage called pCloud and the attacker will gain the access those stolen files later.
Another Module that was Written in script language Autoit Drops 4 Malicious files
- app.exe
- scanner.exe
- cloud.exe
- w9xpopen.exe
According to DeWeb, It steals confidential information from infected devices. All the other Trojan components are written in Go. One of them scans discs searching for folders where browsers are installed, and another one packs stolen data into archives and loads them onto the pCloud storage.
The researcher also identified the Author is this Spyware and he was actively spreading it with the name of “Yenot Pogromist” and he sells it on the popular website.
The creator of spyware also has a YouTube channel dedicated to developing malicious software and has his own GitHub page where he posts the source code of his malicious programs. DrWeb Said.
