Bitcoin scam on YouTube: users tricked into installing Predator Trojan

The promoted tool can allegedly generate Bitcoin keys to steal funds but installs info-stealing Trojan instead

New scam from Crypto World YouTube channel: users are promised a hacktool that can steal cryptowallet data, but instead are provided with Predator data-stealing Trojan

A YouTube channel that goes by the name Crypto World is trying to trick users by offering software allegedly capable of stealing funds from victims' Bitcoin wallets. In reality, what bad actors attempt to download is not a key generator at all, but a Predator the Thief Trojan, capable of harvesting various data,stealing documents, and accessing a webcam.

New spam campaign was spotted and analyzed by security researcher hxFrost,^[1] who posted about the findings on Twitter. The researcher is continually looking for scam campaigns that use cryptocurrency as a bait. This time, his research led to another version of Predator being distributed by via links embedded on YouTube videos.

Predator the Thief Trojan was first analyzed by French security expert Fumik0_ back in 2018, later versions were then examined along with Kaspersky researchers in March 2019.^[2] Developed by Russian hackers, the malware is sold on the dark market and is mainly directed to infecting small business and regular users, as large corporations would quickly detain the threat and isolate it before it can cause major damage.

The Bitcoin wallet key generator scam scheme

A YouTube channel going by the name Crypto World has 341 subscribers, and the first videos emerged ten months ago. While the subscriber count s relatively low, the top viewed videos collected around 700-800 views. The video shows a full process of generating the private keys of a particular Bitcoin wallet account and a full process of a break-in.

In the video description, users can view download links from Google Drive, Yandex, and Mediafire, which include the alleged installer to key generating software. Once clicked, users are led to a download page for “Crypto World.zip,” which contains “setup.exe.” Launching it would extract another executable “license.exe” to .\\language\\templates\\temp folder, consequently installing Predator, the Thief onto the host computer. Finally, the installed malware would contact the Command and Control server to download the remaining components of the Trojan.

The promoted Predator Trojan has low detection rate

In the video description, Predator the Thief distributor claims that there are no viruses in the provided download links:^[3]

To install the software you need to download and run the installer. For peace of mind and confidence that the software does not contain viruses, the file is uploaded to YANDEX DISK, GOOGLE DRIVE & MEDIAFIRE without any passwords to the archive.

While it is true that Google and other file host sources scan each of the uploaded files for malware, this version of Predator is only detected by one AV engine on Virus Total.^[4] The owners of the Trojan are adapting and constantly changing the payload to evade detection, as well as using such obfuscation techniques like XOR, Base64, Substitutions, Stack strings, etc. Overall, the malware uses relatively old techniques to remain undetected, but they are effective.

According to Kaspersky's research, Predator does not possess keylogging capability, although it can collect a variety of information, including data from Battle.net (gaming platform), Skype, Pidgin, NordVPN, Authy (2FA), and others. Additionally, the Trojan can access and record videos on a web camera, steal documents, copy clipboard, and harvest data from Internet Explorer and MS Edge.

Precautionary measures

Info-stealing Trojans are dangerous infections that might result in money and personal data loss. In the worst cases, users might have to deal with the aftermath of identity theft. Therefore, it is advisable staying away from shady links that promote hack tools, as these often include malware that can seriously damage the computer or put users' privacy and safety at risk. In fact, it is not the first time when links in YouTube video descriptions were used to proliferate malware, as happened with Fortnite^[5] and Apex hacktools promoted the same way.

To avoid the infection of dangerous malware, users should stay away from videos that promise free gains (especially via illegal means) and only download software installers from trusted sources. If you think that you have been infected with Predator, the Thief, you should immediately make sure it is eliminated with anti-malware software. It is also just as important changing all passwords on Skype, Discord, Battle.net, etc., and monitoring online banking account for unsolicited transactions.