Hackers Exploit YouTube Videos to Deliver Password Stealing Malware

Threat actors hunt for strategies to use vulnerabilities by employing ways from technical zero-days to nice phishing.

Social engineering blends with commodity malware on excessive-traffic sites, love social media, that allows like a flash, cheap, and stylish assaults.

Without reference to seeming trivial, these infections, corresponding to AI-generated movies on YouTube providing malware disguised as cracked tool, pose significant risks to users and organizations.

Malware By YouTube Videos

The attacker seizes adjust of inactive YouTube channels the usage of leaked faded credentials. Then, they add a distinct speedy video that differs from the channel’s outdated narrate material by enticing victims with promises of cracked tool, reads Cyberreason file.

An story concerned about rap track till 2021 shared a cracked Adobe Animate version in August 2023. Experts view the consistent structure of thumbnails and titles.

Videos use AI-generated narrate material, mixing affirm-to-text and text on appealing backgrounds. Viewers size varies from zero to over a hundred thousand subscribers.

Threat actors boost video requests with tricks love Net optimization poisoning, adding tons of tags linked to cracked tool searches. Tags even match the languages of centered regions by hinting at localized attack campaigns.

Threat actors manipulate video comments for have confidence by the usage of compromised accounts or disabling comments to entice victims.

Videos handbook to an outline with a hyperlink to alleged cracked tool that accesses passwords and masks URLs thru hyperlink shorteners love Rebrandly or Bitly.

The malicious payload on file-sharing or compromised sites infects victims who get thinking it’s legit.

Infostealers & Malware obersved

Here under, we contain now mentioned the total kinds of data stealers and malware that are seen:-

• Redline
• Raccoonstealer
• Tropicraked

The most up to date video promises Microsoft Utter of job crack, uploaded 13 days prior to now. The description has a Rebrandly hyperlink with a password, and the hyperlink redirects to the Telegraph URL by hiding the staunch get hyperlink.

Telegraph permits anonymous publishing, and the timestamp indicates inform since November 24, 2022; the hyperlink results in MediaFire cyber web hosting Setup (PA$S 5577).rar.

While the password wanted to decompress the rar file and the Setup.exe claims to be a Makedisk product, but evaluation confirms it’s malicious.

The file’s metadata unearths it’s a Fine Assembly .NET-obfuscated .NET binary with a assemble date of August 30, 2023. Instruments love de4dot and dnSpy are wanted for static evaluation.

The VirusTotal flags it as Redline, but Setup.exe executes it by triggering vbc.exe. Vbc.exe connects to a Finland-primarily primarily based IP (95.217.14.200) which changed into flagged as a Redline C2 server.

Cybereason detects a Malicious Operation (MalOp) with doable credential theft and info exfiltration. A successful Redline an infection grants the threat actor entry by permitting additional exploitation and lateral high-tail interior the community.

TropiCracked effectively exploits a put-efficient infrastructure the usage of YouTube, Telegraph, and Mediafire for noteworthy entry.

The attack, by leveraging compromised YouTube accounts, Redline entry, and Google Dorking, targets over 800 accounts with minimal put and technical skill.

Without reference to social media efforts, contributors and organizations must stable endpoints in opposition to such assaults.