Beware of the links you click on in YouTube video descriptions! Hackers use it to distribute malware called Aurora, which steals personal information from the infected device.
Cybercriminals stop at nothing to spread their malware and steal all kinds of sensitive information. For some time they have been using YouTube as a distribution channel for their malware. Moreover, a particularly ingenious phishing campaign about an update of the conditions of use of the platform is currently taking place (see our article). Researchers from Morphisec also discovered on YouTube the spread of a loader – a pprogram whose function is to load other programs – named “in2al5d p3in4er” – reads “invalid printer” –, whose objective is to deploy the famous Aurora malware. The latter is a Trojan horse that steals information from the infected device, including identifiers stored in browsers and in the system, but also the contents of cryptocurrency wallets.
Aurora: a particularly popular Trojan horse
While the stealer market has long been dominated by two particularly popular malware, namely Redline and Racoon, a third player silently appeared in 2022 and quickly established itself in the criminal hacker community: the Aurora malware. At first, it was a versatile botnet – for example, it was used to disrupt and attack sites – before it “specialized” in information theft. To spread, it goes through fake sites, social networks or video distribution and sharing platforms, such as YouTube.
It can usually be found for sale on specialized Dark Web forums for the sum of 250 dollars per month or 1,500 euros for life – yes, the cybercrime market also works with subscriptions. It is popular with those looking to hack into cryptocurrency accounts and wallets.
Aurora: malware disguised as a legitimate application
To begin with, cybercriminals take over popular YouTube accounts to post videos that contain links to fraudulent websites in their descriptions. The videos are believable, with quality thumbnails. To increase their visibility, hackers do not hesitate to use search engine optimization (SEO) tags so that they are ranked higher in search results. This is the case of the Abu Ali poultry channel, which offers videos to obtain pirated versions of Adobe Audition or Adobe Animate and which accumulate several hundred views in just a few hours.
When the victim clicks on the link in description, he is redirected to a decoy site where he is invited to download the software promised in the video. These decoy sites are identical to the original sites, with similar URLs, logos and brands to be as convincing as possible. They may even use geo-targeting to deliver content based on the victim’s geolocation. Of course, the latter actually downloads a loader that installs Aurora.
The loader to download Aurora is compiled with the Embarcadero RAD Studio application in order to be more difficult to detect thanks to an advanced so-called “anti-virtual machine” technique. Once installed, the stealer searches the folders of browsers until it finds files that interest it, such as a password manager on the off chance. It will then extract them and send them to an external server, giving cybercriminals plenty of time to resell the stolen data or to connect to different accounts to impersonate the victim or steal money. That’s why you have to be careful when clicking on links, including on YouTube, especially if it’s low-view content with enticing promises, like free access to paid software. through an executable. In general, it’s too good to be true…