Other issues in this category (70)
Gone down the tubes
Friday, May 29, 2020
What do people often do at work aside from working? Some attend to their personal affairs. That, for example, may include playing video games online. How can this be dangerous?
The Russian anti-virus Dr.Web discovered a trojan that spreads via the YouTube comments section and steals confidential information from the infected devices.
As a rule, criminals post trojan download links in the comments section to video tutorials showing viewers how to use game-cheating software.
Attackers disguise the malicious program as a cheating application. When users try to open the link, they download a self-extracting RAR archive containing the trojan.
So it appears if employees play video games during their working hours, they can also go to YouTube to learn how they can use a game-cheating program to beat the game more quickly. And attackers take advantage of it. Among other things, they can also promote their malware on YouTube.
A tutorial describing how to use a program that supposedly extracts cryptocurrencies from any BTC and ETH wallet is the second most-viewed video. Scammers assure viewers they only need to enter a desired amount and the sender address. Once the transaction charge is paid, the money is delivered to the specified wallet.
In addition to overtly fraudulent applications, the channel also promotes seemingly legitimate utilities, mostly trading bots. The same links to several file sharing platforms are posted under all the channel videos. They point users to a ZIP-archive containing three folders and the setup.exe file—the infostealer trojan Predator.
And this is not the only danger. Criminals can use YouTube and other similar platforms to exchange data.
Following its most recent update, Astaroth now uses YouTube channel descriptions to hide the URL for its command and control (C2) servers.
According to Talos, after Astaroth infects a victim, the trojan connects to a YouTube channel, and from there it retrieves the channel description field. The field contains encrypted and base64-encoded text with the URLs of its command and control server. After decoding the text, Astaroth connects to these URLs to receive new instructions and send stolen information for future storage.
Astaroth uses YouTube and Facebook profiles to host and maintain the C2 configuration data. The data is within Facebook posts or the profile information of user accounts on YouTube.