YouTube videos are being created by a threat actor to distribute malware, such as password-stealing trojans. The malware is downloaded by unsuspecting viewers and once installed, it starts stealing passwords, cookies, credit cards stored in browsers, and FTP credentials, and making screenshots of active windows.
Trojan horses are programs that secretly run on a computer while stealing sensitive information from a vulnerable machine and siphoning it off to the attacker’s server. The attacker will execute commands from the server, which could result in the use of additional malware.
According to Cluster25 security researcher Frost who spoke with BleepingComputer, there has been a rise in the number of YouTube-based malware campaigns with videos that are being used to push various types of phishing Trojans.
According to Frost, there are likely two simultaneous campaigns. These include one that is distributing RedLine and another Racoon Stealer.
The researcher said that the campaign created over 80 new channels with 100 videos in just 20 minutes. The videos were part of a massive malware distribution campaign.
Attackers use compromised Google accounts to launch new YouTube channels and spread malware. There are thousands of new channels available to the attackers because they hack new victims every day, according to Frost.
The attackers then use stolen Google credentials to create YouTube channels. New YouTube videos are uploaded to compromised YouTube accounts to distribute harmful content. These channels are filled with tutorials and videos about various software cracks, how-to guides, and other useful information. These channels are usually hosted by the attackers themselves.
The videos are typically accompanied by a link that leads to a website where the malware is distributed.
If a video has a bit.ly link, this will lead to another site that hosts RedLine’s password-stealing malware infection. And if it is an unshortened domain, it will redirect to the taplink[.]cc domain to drop Racoon Stealer.
Once installed, the malware will start collecting all the details from the infected system. It will then upload the data to an attacker’s account.
Google told BleepingComputer that they know about the campaign and are working to disrupt it:
“We are aware of this campaign and are currently taking action to block activity by this threat actor and flagging all links to Safe Browsing. As always, we are continuously improving our detection methods and investing in new tools and features that automatically identify and stop threats like this one. It is also important that users remain aware of these types of threats and take appropriate action to further protect themselves,” said Google’s rep.