Earlier this month, FortiGuard Labs encountered an active campaign that posed a threat to YouTube users who browse the platform for pirated software. Verified YouTube channels with a significant subscriber base were found to upload videos promoting the download of such software.
Unwitting victims are made to deploy multiple malware strains that result in various nefarious activities, including credential harvesting, cryptojacking, and the theft of cryptocurrency funds from wallets.
Diving into details
Malicious videos were uploaded in clusters by cybercriminals; a single YouTube account posted more than 50 videos within an eight-hour timeframe, each promoting various pirated software that ultimately directs users to the same URL.
The URLs and passwords, typically consisting of four numeric digits, are conveniently placed within the video's description and comments section.
These redirect users to a password-protected archive, such as "2O23-F1LES-S0ft.rar" hosted on a file-sharing service platform.
The RAR archive requests potential victims to extract it using the provided password and run the .exe file.
The malware trio
The malicious components involved in the attack can be summarized as follows:
Launcher_S0FT-2O23.exe: This is the Vidar info-stealer, which utilizes a technique of appending over 1GB of unused bytes to the file. This method aims to evade antivirus and sandboxes that have limitations in scanning large files due to restricted CPU and RAM resources.
Laplas Clipper: It continuously monitors the Windows clipboard for content that matches specific patterns retrieved from the C2 server. Laplas Clipper replaces the original payee's wallet address with the threat actor's address, diverting the funds to the attacker's control.
Task32Main: This is a Monero miner installer and is capable of maintaining persistence and evading antivirus.
The bottom line
This campaign brings to light the dangers of downloading pirated software copies as they are a gateway for threat actors hunting to gather credentials, sensitive data, and cryptocurrency. Furthermore, once the system is compromised, attackers use it for cryptojacking. Users are urged not to fall for cracked software offers on YouTube or anywhere.