Malicious campaigns increasingly leveraging YouTube as an attack vector
Cyble Research Labs (CRL) has published multiple blogs on various stealer malware and explained how stealers such as PennyWise spread through YouTube Videos. Since then, CRL has been actively monitoring these YouTube campaigns to identify the activities of Threat Actors (TAs) used to spread malware.
Our investigation indicates that the stealers such as PennyWise and RedLine are on the rise and spreading through YouTube campaigns. We have identified over 5,000 PennyWise Stealer executable samples in the last 3 months alone.
In these campaigns, the TAs post video tutorials about downloading and installing software, mostly to guide users to get paid subscriptions for free, which tricks the users into installing the malicious software.
Usually, the link to this software (which is actually malware) will be available in the YouTube video description.
The download links, in most cases, redirect to free cloud storage and file hosting services such as Mega, Mediafire, OneDrive, Discord, and Github, where the TAs have hosted malicious Windows executable files using password-protected archive files.
Based on our sample analysis, we observed that these campaigns mostly spread stealer and miner categories of malware. In this blog, we will primarily focus on the PennyWise stealer, which has been actively spreading through YouTube channels in the wild recently.
YouTube Campaign Analysis:
During our research, we identified that the TAs in the campaigns that we observed mostly target people interested in getting paid subscriptions for free such as games, programs, or anti-virus software.
To get this software for free, people usually search keywords like “software cracks,” “keygens,” etc. The users will be redirected to these YouTube videos containing the link of the malicious executable pretending to be the software they desire access to. The image below represents the results of these keyword searches from this week.
While investigating the YouTube Channel that spreads the malware, CRL observed sudden changes in the video upload frequency and the kind of videos uploaded on these YouTube channels.
This led us to suspect that the YouTube channels used for these campaigns are either compromised accounts or created specifically for the purpose of spreading stealer malware.
The image below shows an example of a compromised account where the video upload frequency in the last few hours has increased, and the video’s subject has been completely changed.
The image below depicts that the YouTube channel usually posts videos related to singing and fun activities, but these channels typically have thousands of subscribers and have suddenly started posting videos related to software cracks/hacks.
We also observed that a few compromised YouTube channels spreading PennyWise and RedLine stealer payloads had removed the videos posted by TAs, likely after realizing their accounts were compromised.
In the description of the recent videos posted on the YouTube channel shown in Figure 4, there is a software download link along with a password for the downloaded archived file.
CRL has downloaded the file through the URL: hxxps://www.mediafire[.]com/folder/chga256moyooc/ and analyzed it.
Our observations are:
- The file is hosted on MediaFire.
- The executable file has the name “installer.exe,” andthe below images show downloaded files.
- Upon executing the payload, the infection starts by injecting the malicious code into a legitimate .NET binary named “AppLaunch.exe.”
- Based on our research, the payload being delivered through this campaign is PennyWise Stealer. We observed an uptick in submissions for the same payload from various regions to VirusTotal over the last 3 days.
The above status indicates that the same video campaign is actively spreading Pennywise Stealer, and multiple victims worldwide have been compromised.
Conclusion
Threat Actors are continuously adopting sophisticated techniques to deliver malware. In this particular case, the TAs are using compromised Google accounts to deliver malware payloads through YouTube videos.
These compromised Google accounts can also be leveraged for other malicious purposes, such as hosting malicious data on Google Drive or can send phishing spam emails from the victim’s Gmail accounts.
Cyble Research Labs continuously monitors all new and existing campaigns to keep our readers aware and informed.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
- Avoid downloading pirated software from unverified sites.
- Use strong passwords and enforce multi-factor authentication wherever possible. 
- Keep updating your passwords after certain intervals.
- Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile. 
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.  
- Block URLs that could be used to spread the malware, e.g., Torrent/Warez. 
- Monitor the beacon on the network level to block data exfiltration by malware or TAs. 
- Enable Data Loss Prevention (DLP) Solutions on employees’ systems. 
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Execution   | T1204  | User Execution  |
| Defense Evasion | T1140 T1497 T1055.012 | Deobfuscate/Decode Files or Information Virtualization/Sandbox Evasion Process Injection: Process Hollowing |
| Credential Access  | T1555  T1539  T1552  T1528  | Credentials from Password Stores  Steal Web Session Cookies  Unsecured Credentials  Steal Application Access Token  |
| Collection  | T1113  | Screen Capture  |
| Discovery  | T1518  T1124  T1007  | Software Discovery  System Time Discovery  System Service Discovery  |
| Command and Control  | T1071  | Application Layer Protocol  |
| Exfiltration  | T1041  | Exfiltration Over C2 Channel  |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| a2ed077e339bdcbe11d246d850f4e6dd | MD5 | Installer.exe (PennyWise Stealer Executable) |
| 87ba3a160d4246183e308e89f140e2cbfe7b1ec0 | SHA1 | Installer.exe (PennyWise Stealer Executable) |
| 21eae3e46c156b97a1ce1a37c8043524b54e5c4e92a88af4b9384694b4376f63 | SHA256 | Installer.exe (PennyWise Stealer Executable) |
| 174faa57103851083ec20d2601765872 | MD5 | Proton VPN.exe (PennyWise Stealer Executable) |
| 4ba676089de71f8d5f514c740c67ae42c8efba7d | SHA1 | Proton VPN.exe (PennyWise Stealer Executable) |
| 365ca37eea6be88172761c3597283a6518632328892a92d8ad128e64747d9f76 | SHA256 | Proton VPN.exe (PennyWise Stealer Executable) |
| 493e993d7f583db30a460ff79e4df58b | MD5 | Kaspersky Internet Security crack.exe (PennyWise Stealer Executable) |
| 194ddbfbf5817cf1a998756e94c7c8a764ccf242 | SHA1 | Kaspersky Internet Security crack.exe (PennyWise Stealer Executable) |
| cb8afc5d4fa94e09bdf9a9fdcfc671f8e8290dd7cd4d0c0c3abce8539af4a702 | SHA256 | Kaspersky Internet Security crack.exe (PennyWise Stealer Executable) |
| 49b3e116466dcb31d15a085c2293d478 | MD5 | installer.exe (PennyWise Stealer Executable) |
| 04d6f3c119df0b37aa03d1b7ae2fb7e6847cf57c | SHA1 | installer.exe (PennyWise Stealer Executable) |
| 9ed7186aa38ea46cca24572c612363a73ee88b05f469c7978d2666a85d9fda2e | SHA256 | installer.exe (PennyWise Stealer Executable) |
| a74bd4fb84febbb2021f611ffdd6c74f | MD5 | setup.exe (RedLine Stealer Executable) |
| b7019ccc1cf25ac94729fbb29680019f4185f9e4 | SHA1 | setup.exe (RedLine Stealer Executable) |
| 93989c2ff3afcea9b5f042c28a32160f8c3d14580ee7183a216efa781a1df2db | SHA256 | setup.exe (RedLine Stealer Executable) |
| 31.222.238[.]56 | IP | C2 server of Redline stealer |
| hxxp://144.91.110[.]55:27571/ | IP | C2 server of Redline stealer |
