Malicious Actors Using YouTube to Distribute Malware

This post is also available in: עברית (Hebrew)

Information stealing malware is being delivered on YouTube disguised as pirated software and video game “cracks,” reports cybersecurity firm Proofpoint.

This malware (including Vidar, StealC, and Lumma Stealer) was distributed using malicious links disguised as video descriptions, which ultimately led to the download of information stealers.

According to Cybernews, the videos, which claimed to show the viewers how to download software or upgrade video games for free, belonged mostly to accounts that appeared to be compromised or otherwise acquired from legitimate users. Researchers also reported observing accounts that were likely created and controlled by threat actors to exclusively deliver malware, with many being active for only a few hours.

Selena Larson, senior threat intelligence analyst at Proofpoint said: “The use of a popular video-sharing platform to distribute malware illustrates that threat actors continue to use well-known brands to entice users to engage with malicious content.”

Larson further explained that these videos target users who do not have the same resources and knowledge to defend themselves from attackers as companies and enterprises do. Many videos even feature games that are popular with children, which are especially vulnerable.

“And while attacks on individual users may not result in the same level of financial gain for threat actors as attacks on corporations, the victims likely still have data like credit cards, cryptocurrency wallets, and other personally identifiable information (PII) stored on their computers which can be lucrative to criminals,” concluded Larson.

Proofpoint also points out that significant gaps between the posted videos and content that differs significantly from previously published videos could indicate that an account was compromised or acquired by malicious actors. For example, one such account that was found by the researchers was a verified YouTube channel with 113,000 subscribers. While the majority of its videos were posted over a year previously and were all in Thai, it had 12 new English language videos about popular video games and software cracks posted within 24 hours upon discovery, all containing links to malicious content. Furthermore, some of those videos had over 1,000 views, which was possibly artificially boosted by bots to appear more legitimate to unsuspecting victims.