According to research conducted by CloudSEK as far back as November 2022, there has been a 2 to 3 times month-over-month increase in the number of youtube videos containing links to info stealer malware in the video description section. The types of information stealer malware used include Vidar, Raccoon, and RedLine.
How do threat actors spread malware?
Threat actors, also known as traffickers, have devised another means of spreading various info stealer malware through AI-generated Youtube video tutorials.
According to Pavan Karthick M, a CloudSEK researcher,
“The videos lure users by pretending to be tutorials on downloading cracked software versions such as Photoshop, Premiere Pro, Autodesk 3ds Max, AutoCAD, and other licensed products available only to paid users”.
Youtube is the most widespread malware distribution channel since it usually involves step-by-step videos containing audio only or a screen recording of downloading and installing the software.
Threat actors now use AI-generated videos from platforms such as D-ID to create youtube videos featuring humans to make their videos appear genuine and trustworthy. The description section of such videos contains links to info stealer malware.
To make these links appear natural, threat actors becloud them using popular URL shorteners such as Cuttly and Bitly. Aside from that, Discord, GiftHub, or Google Drive can alternatively host the link.
However, to quickly achieve their aim, threat actors focus mainly on youtube accounts with large subscriber bases and hijack their accounts. Through this means, they can quickly cover a wide range of audiences, and many unsuspecting users fall headlong. This does not imply that they don’t hijack less popular youtube accounts.
Another scope threat actors use on the Youtube platform is uploading between 5 to 10 crack videos per hour. To make the videos rank among the top five on the ranking list, they use Search Engine Optimization(SEO) poisoning techniques.
Threat actors add fake comments in the comment section below the video to make the video tutorials appealing to users. They do this to convince users to download the cracked software, and once a user falls for the trick, they have achieved their goal.
What information does the infostealer malware collect?
Threat actors hijack youtube accounts to steal sensitive information from computers, such as passwords, credit card information, and other confidential information. Through youtube tutorials, for example, once a user clicks on the link and installs the software application, their deed is done.
They steal all relevant information from the computer and upload it to the attacker’s Command and Control server. Summarily, the info stealer collects the victims;
- Computer system or phone information such as system specifications, IP address, and malware path( only Vidar and RedLine).
- User data like auto-fills, cookies, credit card details, and passwords.
- Files such as documents, excel sheets, and PowerPoint presentations using a File Grabber.
How to protect against infostealers
Threat actors are developing new methods every day to steal information from internet users and organizations. New information stealer variants offered for sale in their latest development include ImBetter, Lumma, Stealc, and Whitesnake.
These stealer variants can detect sensitive and relevant information under the guise of popular applications or trending services. Knowing all these, how should we protect ourselves against falling victim to info stealers?
Internet users are encouraged to enable multi-factor authentication, avoid downloading applications from untrusted sources, avoid using pirated software, and desist from clicking unknown links and emails. Users must be more cyber security aware and alert.
Organizations must be cyber security conscious and adopt adaptive threat monitoring. You can achieve this by closely monitoring and trailing the changing tactics of threat actors. Organizations can also help their users by creating awareness campaigns to help them identify potential threats.