PennyWise Targets Cryptocurrency Wallets Using YouTube

How does the malware spread?

• The malware is packaged under a free Bitcoin mining program and promotes itself on YouTube.
• With few or limited visitors visible, researchers have found over 80 videos on YouTube that have been mass-infected. These videos are all kept on the threat actor's YouTube channel.
• Users are persuaded to download a password-protected ZIP file that purports to contain the advertised Bitcoin mining software. In reality, it is a PennyWise.

PennyWise malware characteristics

• It obtains the path for several different browsers and it targets more than 30 Chrome-based browsers, more than 5 Mozilla-based browsers, Opera and Microsoft Edge
• The malware then grabs the username, the machine name, the system language, and the timezone from the victim's operating system and is converted to Russian Standard Time.
• It then moves toward the graphic driver and processor name and saves everything in a hidden folder in the AppData\Local directory.
• Next, the malware attempts to determine in which kind of environment it is running by using anti-analysis and anti-detection tricks.
• More checks are done to determine what antivirus or sandbox might be running.

What all does it steal?

• The malware detects a browser and extracts information saved on it, including login credentials, cookies, encryption keys, and master passwords.
• Discord tokens and Telegram sessions are also stolen, and a screenshot of the user’s screen is taken.
• Wallet files are stolen from a list of predefined folders. Cryptocurrency extensions in Chrome-based browsers are also targeted.
• Once all the collection is done, it is compressed and sent over to an attacker-controlled server before being deleted from the computer.

How to protect yourself from this threat?

• Software should never be downloaded from unverified or untrustworthy sources. 
• Never disable the antivirus for the purpose of installing a new application. 
• The antivirus or security product running on the computer should always be kept patched.
• The storage of credentials should be avoided in the browser.