YouTubers Coerced into Spreading Malware via Blackmail

A sophisticated malware campaign has been uncovered where cybercriminals are blackmailing YouTube creators into distributing malware by threatening them with channel takedowns over fraudulent copyright claims. This campaign primarily targets content creators who post videos about bypassing internet restrictions, forcing them to share links to malware-infected files disguised as legitimate tools.

Key Points of the Campaign

• Blackmail Tactics: Attackers file fake copyright strikes against YouTubers and threaten them with permanent channel bans unless they post videos with malicious links. This tactic exploits the fear of losing their channels and leverages the credibility of popular YouTubers to spread the malware.
• Malware Distribution: The malware, known as SilentCryptoMiner, is distributed through malicious archives hosted on compromised sites like gitrok[.]com. It masquerades as a tool to bypass internet restrictions but operates as a cryptocurrency miner, hijacking computing power to mine cryptocurrencies like Ethereum and Monero.
• Impact: The campaign has primarily affected over 2,000 victims in Russia, but the actual impact could be much broader due to the involvement of influential YouTube channels. One YouTuber with 60,000 subscribers was coerced into promoting the malware, resulting in over 40,000 downloads of the infected file.
• Technical Details: The malware employs process hollowing to inject its code into legitimate system processes, enhancing its stealth capabilities. It also uses anti-analysis techniques to evade detection by security software.

How the Malware Works

1. Initial Infection: The malware is distributed via YouTube videos with links to malicious archives.
2. Loader Deployment: The loader retrieves a second-stage payload from hardcoded URLs, checks for virtual machines, and disables security protections.
3. Persistence and Mining: The malware gains persistence by registering as a Windows service and mines cryptocurrencies while avoiding detection by suspending operations when security-related programs are active.

Defense Strategies

• Verify Copyright Claims: YouTubers should verify the authenticity of copyright claims before complying with takedown notices.
• Report Suspicious Activity: Creators should report any suspicious activity to YouTube’s abuse team rather than complying with blackmail demands.
• Use Secure Channels: Users should be cautious when following links from YouTube videos, especially those from smaller channels.