Uncovering the C&C Communication Capabilities of Malicious YouTube Bot
YouTube is one of the great platforms for many content creators. It also has a high potential for making good revenue. However, YouTube content creators need help to gain a maximum number of views, likes, comments, and subscribers for their videos and channels. As a result, some may turn to using YouTube bots to artificially boost their rankings on the YouTube platform, which can help them reach a wider audience through organic views. However, this approach is generally considered unfair and may be against the YouTube platform’s terms of service.
As YouTube becomes more popular, the use of YouTube bots is also enhancing. These bots are software programs that can automate tasks on the YouTube platform, such as viewing, liking, or disliking videos, subscribing, or unsubscribing to channels, leaving comments, and adding videos to playlists, etc.
Cyble Research and Intelligence Labs (CRIL) has been keeping track of new and active malware families in the wild. Recently, CRIL spotted a new YouTube bot malware that can perform activities such as viewing, liking, and commenting on YouTube videos. Moreover, it can steal sensitive information from browsers and act as a bot that receives commands from the Command and Control (C&C) server for other malicious activities.
Technical Details
We have taken the sample hash (SHA256), e9dac8b677a670e70919730ee65ab66cc27730378b9233d944ad7879c530d312, for our analysis. It is a 32-bit executable file compiled with .NET compiler, as shown in the figure below.
Four argument strings are required to run the malware executable, including the video ID, video duration, like, and comment.
- Video ID – Unique ID of a YouTube video.
- Video Duration – Duration of the video to view.
- Like – Set True to like the video
- Comment – Leave comments for the YouTube video
When the malware is executed, it first checks whether it is running in a controlled environment, such as VMware or VirtualBox, using the DetectVM() function. This check is designed to prevent the malware from being detected and analyzed in a virtual environment. If the malware determines that it is running in a controlled environment, it will not execute further. Otherwise, it will proceed to perform the tasks specified in the argument strings.
After the check, the malware searches for running processes with a mutex name of “sm” and terminates them using the “taskkill” command by calling the DeleteProcessesByMutexName() method. The malware then checks whether the executable file runs from the %appdata% location or not. If not, it copies itself to the %appdata% folder under the name “AvastSecurity.exe” and runs it using “cmd.exe”.
- C:\Users\[Redacted]\AppData\Roaming\Adobe\AvastSecurity.exe
If the executable is running from the %appdata% directory, it creates a new mutex with the format “sm:<current process id>”. The code snippet shown below demonstrates how the mutex is created, and a copy of the executable file is dropped.
After creating the mutex, the malware uses the RegisterScheduledTask() function to create a task scheduler entry for the copy of itself that was dropped into the %appdata% folder. This establishes persistence, allowing the malware to continue running even after the system is restarted. The below image shows the Task Scheduler entry created by the malware.
After establishing persistence through the task scheduler entry, the “AvastSecurity.exe” file collects cookies, autofill, and login data from the victim’s system by calling the Grab() function. This function uses the CookieRecovery(), AutofillRecovery(), and PassRecovery() methods to gather this information from installed Chromium browsers on the victim’s system.
The image below shows a code snippet of the CookieRecovery() function, which retrieves cookie information such as domain, expires, name, path, secure, tailmatch, and value from the victim’s browsers.
Finally, the YouTube bot malware calls the YoutubePlaywright.Start() method by passing the previously mentioned arguments along with the Chrome browser path and cookie information to view the specified video. The cookie is included as an argument to mimic a real user viewing the video and could bypass any security measures or restrictions that may be in place. The below image shows the code snippet of YoutubePlaywright function along with malware parameters.
YouTube Playwright
The class name “YouTubePlayWright” which internally uses “Microsoft.Playwright” package for automating tasks such as viewing, liking, and commenting on YouTube videos. The malware launches the browser context with the parameters shown in the image below.
The malware achieves automatic YouTube video views by using the below steps.
- The malware navigates to the YouTube video URL using the page.GotoAsync() method.
- It locates the YouTube large play button using the page.Locator() method.
- The malware clicks the play button to start the video using the ClickAsync() method.
C&C communication
The malware connects to a Command and Control (C&C) server by using the ConnectToServer() function and passing the IP, Port, and Webclient as an argument. This function then calls the OnServerMessageReceived() function to receive commands from the C&C server.
The C&C server uses the following commands to control the malware.
- “selfDestruct” – This command causes the malware to delete its scheduled task entry and terminate its own process.
- “getLog” – This command directs the malware to send the log file to the C&C server. The log file contains information such as the bot version, details about views (whether they were completed or failed), the server connection status, and so on.
- “downloadAndRun” – This command causes the malware to download and execute other files.
- “stopView” – This command directs the malware to stop viewing a YouTube video.
- “view” – This command directs the malware to start viewing a YouTube video.
The below figure shows the C&C commands used by the malware.
The malware is also designed to check if the victim’s system has the necessary dependencies, such as the Chrome web browser and the Playwright package installed. If these dependencies are absent, the malware will download and install them when it receives “View” command.
Conclusion
Generally, the use of YouTube bots can be a tempting way for content creators to boost their rankings and reach a wider audience on the platform. However, the use of bots is generally considered unfair and may be against YouTube’s terms of service. Additionally, there is a risk of using YouTube bots, as they can be detected and may result in suspending or terminating a user’s account.
In this case, The Threat Actors (TAs) use customized YouTube bots to increase likes, comments, and views on their YouTube videos. The YouTube bot is also capable of stealing victims’ sensitive information such as cookies, AutoFill, Login data, and passwords. In addition, it receives commands from the C&C server and can download and execute additional malicious files on the victim’s machine.
Our Recommendations
We have listed some of the essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the suggestions given below:
- Avoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as YouTube, torrent sites, etc., typically contains such malware.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices.
- Use a reputed antivirus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.
- Educate employees in terms of protecting themselves from threats like phishing/untrusted URLs.
- Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Execution | T1204 T1047 T1059 | User Execution Windows Management Instrumentation Command and Scripting Interpreter |
| Persistence | T1053 | Scheduled Task/Job |
| Privilege Escalation | T1055 | Process Injection |
| Defense Evasion | T1036 T1562 T1497 | Masquerading Disable or Modify Tools Virtualization/Sandbox Evasion |
| Credential Access | T1003 | OS Credential Dumping |
| Discovery | T1057 T1082 T1518 | Process Discovery System Information Discovery Security Software Discovery |
| Collection | T1005 | Data from Local System |
| Command and Control | T1071 T1105 | Application Layer Protocol Ingress Tool Transfer |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| 28abffc332adbe6d0611ad64e8578e77d6da1e71d20afe9ba44a92ace61ccbf3 70ca93c25b0de9b7b42739c1397e98fef0f3123fd3ed26acef84fe1b4a8cc2e9 792095ac7aa865779dcd51094fbbf8f57f83f3a47750a28527062dd74a315bb5 b4098728c160f6637ea33a66cdb4a518857e5ec8a60134b97f48cbc56475acc0 e9dac8b677a670e70919730ee65ab66cc27730378b9233d944ad7879c530d312 3fb6074f025e43b154f61650f4f4e82b21a9328954772811b1fb579673e89c6b c8f700ce6babe369b6fb6cf747a21aa7a7ed6e3c20a84998094b91e23413c0bc db9971c25d88a57ad218cb675107b6a03f023616364f1646eca2b14401baecba 2062f480625832da7c3fa81456a73514194c932009b2038eef430cb48eeba014 68fb648e718b40ab00c422dbf70e1a3175d3834a22d9f6c8b4b376635c9bb595 991d703c1bb1be43c27b6b6ffc2ee95f02f3c7b64a8ec07ccb9dee718f0ba836 394a707846cc908581190f8fd7c061203b340c942eb90bfc6073836a9d3a189a | Sha256 | YouTube bot Executable |
