Security researchers at Dr.Web have discovered a new malware campaign named Trojan.PWS.Stealer.23012 targeting Youtube customers.
The Trojan.PWS.Stealer.23012 is a malware written in python to steal files and other confidential data and target devices running on Microsoft Windows OS.
Attackers were seen posting malicious links in the description and comment section of youtube videos based on cheating methods in games using special applications.
These malicious links lead to Yandex.Disk servers, a cloud service created by Yandex which allows users to store files on cloud servers and share online.
Below image shows an example of malicious link posted in the comment section of a video:
“Cybercriminals publish links to the malicious program in the comments section of YouTube videos, a popular web resource. A lot of these videos focus on cheating methods in games (so called “cheats”) using special applications. Cybercriminals try to pass the Trojan off as such programs and useful utilities. Links lead to the Yandex.Disk servers. To persuade users to click the link, videos contain comments clearly written by using fake accounts.”
If the victim clicks the links a self-unpacking RAR archive containing Trojan.PWS.Stealer.23012 will be downloaded and installed on the device.
The malware is capable of stealing cookies from web browsers such as Vivaldi, Chrome, YandexBrowser, Opera, Kometa, Orbitum, Dragon, Amigo, and Torch browsers. In addition to that, the malware also steals saved logins/passwords from the same browsers and take screenshots.
It also copies files with “.txt”, “.pdf”, “.jpg”, “.png”, “.xls”, “.doc”, “.docx”, “.sqlite”, “.db”, “.sqlite3”, “.bak”, “.sql”, “.xml” extensions from Windows Desktop.
The gathered information are stored in C:/PG148892HQ8 folder. Then the data are made into a spam.zip archive and send to the attackers C&C server along with the victim’s location.
“Doctor Web virus analytics found several modifications to the Trojan. Some of them were detected as Trojan.PWS.Stealer.23198. Dr.Web anti-virus products successfully detect all known modifications to this malicious program, so they do not pose any threat to our users.”