Password-stealing malware was noticed spreading in YouTube comments
A popular video sharing and streaming platform YouTube became attractive for malware developers. A new malicious program called Trojan.PWS.Stealer.23012 has been noticed spreading in network’s comment section few months after cryptocurrency miner was detected on YouTube ads.
The main purpose of the trojan horse is to steal sensitive information stored in the web browser, such as email, social media, and other account credentials. Additionally, malware can take screenshots of the device when a victim uses a computer.
Another feature of the data-stealing trojan horse is that it is capable of copying files that are saved on the affected computer’s desktop. It targets the following file types:
.txt, .pdf, .jpg, .png, .xls, .doc, .docx, .sqlite, .db, .sqlite3, .bak, .sql, .xml.
Malware adds stolen credentials and files in Spam.zip archive, saves in a newly created directory called C:/PG148892HQ8, and then sends to the remote Command and Control (C&C) server.
There’s no doubt that collection of such information can lead to privacy-related issues or even identity theft. Hence, it’s better not rush clicking links in comments and video descriptions, especially if they are related to doubtful or illegal activities.
Trojan.PWS.Stealer.23012 was targeted at gamers mostly
Russian researchers spotted a malicious link in YouTube comments section and video descriptions. The malware was noticed near the videos explaining how to cheat or hack specific games with the help of third-party apps.
Criminals tricked gamers that the link redirects to a download site where they can get specific tools necessary for cheating in games. However, the obfuscated links redirect to Russian cloud service’s Yandex Disk servers where another lie and manipulation was presented to potential victims.
Hacker’s site included videos and user comments that prove that the program or file is absolutely legitimate and works properly. Of course, they are all fake and created by criminals just to create a sense of credibility and trick people into downloading a self-unpacking RAR file.
After execution, Trojan.PWS.Stealer.23012 malware steals credentials from Google Chrome, Opera, Vivaldi and many other web browsers, as well as files from the Desktop, and sends them to a remote server.
According to recent reports, Google already removed the malicious content from YouTube.
Creators of malware took advantage of YouTube the second time this year
The appearance of Trojan.PWS.Stealer.23012 virus is not the first time this year when malware was detected on the world’s largest video-sharing service. In January, YouTube visitor had a chance to encounter cryptocurrency miner.
Google needed more than a week to remove all malicious ads that were targeting users in Italy, France, Spain, Japan, and Taiwan.