YouTube Channels Are Being Used to Spread Malware

Cryptominer, malicious videos, malware, NirCmd, Ophtek, redline stealer, YouTube, , , , , ,
04
Oct 2022

Following the discovering of a malware campaign spreading through YouTube channels, it appears that no corner of the internet is immune from hackers.

It’s increasingly common for businesses to run a YouTube channel as part of their marketing efforts, with over 60% of businesses regularly uploading videos. And with YouTube regularly attracting 5 billion daily video views, you can see why it’s an attractive target for threat actors. Thankfully, you can’t be hacked simply by watching a video on YouTube. However, you do need to consider the legitimacy of each video’s content and, more importantly, how safe the embedded links within these videos are.

How Does YouTube Spread Malware?

This latest threat to online safety appears, at present, to be concentrating on YouTube gaming channels, with a specific focus on those which cover games including Final Fantasy, FIFA and Spider-Man. The malware involved is what’s known as a malware bundle i.e. it contains several different strains of malware, with RedLine being the most dominant piece of malware.

The malware spreads through YouTube by uploading malicious videos to infected channels. These malicious videos may appear to be on-brand with the channel e.g. links to cheats for FIFA, but the payload will actually be the same malware which has infected the channel. Therefore, this malware bundle can spread through numerous niche-specific channels by using the same content.

What Does the Malware Bundle Do?

The malware contained within this attack comprises several different attack methods:

  • RedLine: the most substantial piece of malware found in the attack, RedLine harvests confidential data from those it infects e.g. downloading login credentials, accessing cryptocurrency wallets and extracting data entered into web browsers.
  • NirCmd: this application is, in fact, a genuine piece of software, but it’s one which provides the threat actors with a layer of stealth. Once activated, NirCmd conceals the activities of the malware it’s bundled with and makes the attack difficult to identify.
  • Cryptominer: interestingly, a cryptominer which hijacks the resources of the victim’s graphics card is also included. This is considered interesting as the attack targets gamers, a demographic who are likely to possess powerful graphics cards.

Staying Safe on YouTube

YouTube is a crucial asset in the business world, but this recent attack demonstrates it also carries security risks. Your organization may not run a gaming channel, but it’s likely this template will soon be replicated in other niches. Accordingly, it’s essential that you follow these two important practices:

  • Doublecheck links: when viewing videos on YouTube, it’s vital that you treat their links in the same way you would in an email. Always hover your mouse over any links (and that includes those in the video description) to reveal the true destination, copy and paste links into Google to highlight any existing concerns and, finally, ask an IT professional to verify them before clicking.
  • Regularly check your video library: if your organization hosts a YouTube channel, it’s recommended you keep an eye on the videos uploaded to it. The sudden appearance of videos you have no record of uploading may be the only indicator you have that your channel has been hacked.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Malware Links Are Being Spread Through YouTube

antivirus software, malicious links, malicious websites, malware, Ophtek, Updates, YouTube, , , , , ,
02
Nov 2021

YouTube is one of the most popular destinations online thanks to the entertainment it offers. But where there are lots of people, there are always hackers.

Close to 43% of internet users visit YouTube at least once a month, so this is a significant amount of traffic. Accordingly, this presents hackers with a huge audience to target. Hacking YouTube directly is difficult, so hackers are unlikely to succeed in embedding malware into videos. However, you can embed URLs into video descriptions. These are usually used to redirect the viewer to a destination that is related to the contents of the video. For example, a video advertising a brand’s product may include a link to that product in the video description. But the truth is, this link could take you anywhere.

Spreading Malware on YouTube

Using malicious links on YouTube is nothing new, but security researchers have noted that this technique has been growing in popularity recently. In particular, two specific Trojans have been detected: Raccoon Stealer and RedLine. One of the main reasons that hackers have been targeting YouTube is down to the Google accounts they have already stolen. Setting up a YouTube channel requires you to have a Google account, so it makes sense for hackers to take advantage of YouTube.

The fake YouTube channels are then used to host videos related to topics such as VPNs, malware removal and cryptocurrency. Each video will center around a particular call-to-action, most likely involving the download of a tool e.g. a malware removal application. Viewers will be encouraged to download this from the link in the video description. These links appear to either use a bit.ly or taplink.cc address to redirect users to malicious websites. The users are then instructed to download the relevant tool. Unfortunately, all it will download is malware.

This malware is used to scan PCs for login credentials, cryptocurrency wallets and credit card details before transmitting it to a remote server. The hacker behind the attack can then harvest this data and continue to steal further data from the victim.

Remaining Vigilant Online

The number of threats we face daily seems to be rising daily and it may feel that being vigilant online is an exhausting job. However, it’s crucial for your safety that you remember the basics of online security:

  • Be Wary of All Online Links: Even the biggest and most secure websites are at risk of being compromised. YouTube is one of the most popular sites online and yet it still houses hackers in plain view. Therefore, the likelihood of coming across malicious links online is highly likely. Therefore, verify all links before clicking them. A good way to do this is by highlighting the link, copying it and then posting it into Google to see if it brings up any red flags.
  • Always Use Antivirus Software: It’s likely, at some point, that you will fall for an infected link at some point. But this doesn’t mean you should remain at the mercy of the malware. You can limit the damage caused by malware by always using antivirus software. This will automatically scan your PC throughout the day and identify any malware. In many cases it will even check all downloaded files and scan them before opening.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More
Youtube ads serving up malicious code
Youtube ads serving up malicious code

Hackers Use YouTube Videos to Serve Up Malware Ads

Security, , , ,
12
Mar 2014

image_thumb

Make sure you have your firewall up!

With over 1 billion users, YouTube is one of the most visited sites on the web, but its incredible popularity is also drawing in criminals and viruses.  Cyber criminals are always looking for new ways to exploit popular platforms, and YouTube is not an exception.

Recently, it was discovered that YouTube videos were serving up ads that contained the necessary precursors for an attacker to inject malware into a targeted machineAccording to a Bromium Labs, the cyber criminals were leveraging holes in systems running Java, and if that was the case a Banking Trojan belonging to the Caphaw family was dropped locally onto the user’s computer.  Another reason to keep your Java up to date.

Once a connection with the victim’s machine is established, the malware then tries to connect with domains which are likely based in Europe.

image_thumb1

It’s as easy as 1-2-3.

The YouTube malware ad was delivered in the following manner:

  1. User watches YouTube video
  2. User sees an appealing thumbnail embedded in and clicks on it to watch another video
  3. Once the thumbnail is clicked, the machine opens up the malware ad in the background (served by Google Ads)
  4. Malware then redirects the user to ‘foulpapers.com’
  5. The malicious website then serves up iFrames with the aecua.nl domain
  6. Aecua.nl then detects the system’s Java version and drops the malware onto the victim’s machine

Casual YouTubers may never even notice that their machine was the target of such an attack.  Cyber criminals will often put some work into promoting their YouTube videos to make them seem legitimate and worth watching.  A video containing such exploits may contain thousands or even hundreds of views, so it is only after the damage is done that one will notice his machine is infected.

As always, we advise everyone to take the necessary precautions to prevent such an attack by installing and updating their antivirus software.  It is also recommended that people disable Java unless it is absolutely necessary for running verified/safe services and applications.

For further help keeping your office or home computers secure against such attacks, contact our IT support services.

Read More