Posted on March 29, 2018 at 8:22 AM
Gamers beware. The next hack video you watch could be associated with a nasty Trojan virus. Cybercriminals are putting malicious links on comments to trick you into downloading their virus, which will track user login credentials, steal documents and more.
Reading the comments on a YouTube video can be a dangerous gambit, in the first place. Trolls, angry rants, and general rudeness are par for the course. Now, YouTube is again being used to spread malicious software. A new Trojan is spread via links to YouTube video comments threads. The most commonly targeted videos are related to gaming hacks and cheats. The Python written Trojan has been dubbed Trojan.PWS.Stealer.23012 by researchers at Russian anti-virus vendor Dr. Web.
Dr. Web says that the malicious links are being sold to viewers as new sources for game cheats and that the links lead users to a Yandex Disk server with seemingly legitimate videos for gamers. Once users click the link, a RAR file downloads the Trojan. Which targets all manner of file extensions for copy, including .txt, .doc, .pdf, .jpg, and more. The virus also records login credentials and steals cookies from Chrome, Vivaldi, Opera and other browsers. Dr. Web first discovered that something was shady when they attempted to verify the comments on the videos hosted on the Yandex server. All of the comments were fake comments, posted by cybercriminals on fake profiles. The comments made the videos seem as though they had been vetted by actual users.
All that Information goes to the criminals, who probably sell it
Once the damage is done, the trojan stores gathered data on the C drive in Spam.zip folder and send it to command and control servers run by the criminals behind the malware. The malware also sends the user’s location to the C&C, presumably allowing information to be cataloged by geography. Geographically categorized user data is sold at different rates on the dark web, with rates set according to location. Data from places like the US and EU have higher rates associated.
In addition to the version 23012, Dr. Web also found a modified version .23198. All YouTube users are advised to avoid clicking on links in the YouTube comments section unless the link is verified by site moderators. Other examples of this kind of attack have been seen. As recently as January, YouTube comments contained links that downloaded crypto jackers onto unsuspecting user PCs. Additionally, games like Grand Theft Auto IV and V, Call of Duty, Assassin’s Creed, and Minecraft have seen incidents of hackers spreading malware. Even the popular gaming platform Steam has had issues with this type of attack. As always, user beware, and don’t click on any link from a user you don’t have reason to trust!