Hackers target YouTube videos primarily for ‘financial gain’ and to exploit the vast audience base of the platform.
By hijacking popular channels, hackers can distribute ‘malicious links,’ and ‘scam’ content by masquerading as the “original creators” to trick their subscribers.
Recently, cybersecurity analysts at Kaspersky Lab discovered that hackers have been actively using YouTube videos to deliver sophisticated malware.
Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free
Sophisticated Malware Via YouTube Videos
Threat actors directed a sophisticated cryptocurrency mining campaign in 2022 that primarily targeted “Russian-speaking users” via an elaborate “malware distribution network.”
The attackers employed multiple attack vectors (“SEO manipulation of Yandex search results,” “compromised Telegram channels,” and “hijacked YouTube accounts”) to distribute malicious files disguised as popular software packages like ‘uTorrent,’ ‘Microsoft Office,’ and ‘Minecraft.’
While the infection chain began with “password-protected MSI files” containing ‘VBScript’ that triggered a “multi-stage attack sequence.”
This included privilege escalation to the “SYSTEM level,” utilizing ‘AutoIt scripts’ hidden within legitimate digitally signed “DLL.”
It’s a technique that preserves signature validity while hiding the “malicious code.”
The malware established persistence via multiple mechanisms like “WMI event filters,” “registry modifications” (specifically targeting ‘Image File Execution Options,’ ‘Debugger,’ and ‘MonitorProcess keys’), and abuse of the open-source “Wazuh SIEM agent” for remote access.
The attackers implemented sophisticated defense evasion techniques (“process hollowing through explorer.exe,” “anti-debugging checks,” and “filesystem manipulation using special GUID-based directory names”) to hide malicious components.
The final payload deployed “SilentCryptoMiner,” which is configured to mine privacy-focused cryptocurrencies like ‘Monero’ and ‘Zephyr,’ while implementing process-based ‘stealth mechanisms’ to evade detection, Kaspersky said.
The malware also collected system telemetry (including “CPU specifications,” “GPU details,” “OS version,” and “antivirus information”) and transmitted it through a Telegram bot API, with some variants that include the clipboard hijacking capabilities particularly targeting “cryptocurrency wallet addresses.”
Besides targeting Russian users (87.63%) this malicious campaign also targeted users from “Belarus,” “India,” “Uzbekistan,” “Kazakhstan,” “Germany,” “Algeria,” “Czech Republic,” “Mozambique,” and “Turkey.”
Here the threat actors engineered their distribution strategy through “compromised websites,” “manipulated YouTube videos,” and “Telegram channels,” to target the users who are searching for ‘cracked software,’ ‘game cheats,’ and ‘premium software’s free versions.’
These users were particularly vulnerable as they often willingly disabled AV tools’ protection and security measures to install “unofficial software.”
The sophistication of the attack was clear in its “modular structure,” where different payload components could be dynamically loaded based on the objectives of the threat actor.
This illustrates how mass-scale campaigns can incorporate complex and enterprise-grade attack techniques while maintaining “stealth” via advanced “obfuscation methods” and “anti-analysis features.”
Strategies to Protect Websites & APIs from Malware Attack => Free Webinar