skip to Main Content

Cybercrime, YouTube increasingly used to spread password-stealing malware

The Cluster 25 cybersecurity researcher Frost to BleepingComputer: YouTube videos increasingly used to spread password-stealing malware. There are two simultaneous  campaigns with thousands of videos and channels: one pushes RedLine and the other, Racoon Stealer

Cybercrime actors are increasingly exploiting YouTube videos to spread password-stealing malware. It has been discovered by the Cluster25 cybersecurity researcher Frost, who explained BleepingComputer that there has been a significant uptick in campaigns via YouTube pushing to distribute password-stealing Trojans. According to him, there are two clusters of malicious activity being conducted simultaneously: one pushing RedLine and the other, Racoon Stealer. Furthermore, thousands of videos and channels had been made as part of this massive malware campaign, with 100 new videos and 81 channels created in just twenty minutes. Frost explained that the threat actors use the Google accounts they steal to launch new YouTube channels to spread malware, creating a never-ending and ever-growing cycle.

How the cyberattacks via YouTube work

The cybercrime attacks start with the threat actors creating numerous YouTube channels filled with videos about software cracks, licenses, how-to guides, cryptocurrency, mining, game cheats, VPN software, and pretty much any other popular category. These videos contain content that explains how to perform a task using a specific program or utility. Additionally, the YouTube video’s description includes an alleged link to the associated tool used to distribute the malware. If a video contains a bit.ly link, it will lead to another file-sharing site hosting the RedLine password-stealing malware infection. However, if it includes an unshortened domain, it will redirect to a page on the taplink[.]cc domain to push Racoon Stealer. Once a user becomes infected, the malware will proceed to scan all installed browsers and the computer for cryptocurrency wallets, credit cards, passwords, and other data and upload it back to the attacker.

Back To Top