Recently, cyber threat actors have been observed using AI-generated YouTube Videos to spread various stealer malware such as Raccoon, RedLine, and Vidar. The videos lure users by pretending to be tutorials on downloading cracked software versions such as Photoshop, Premiere Pro, Autodesk 3ds Max, AutoCAD, and other licensed products available only to paid users. Nothing is free on the Internet; you may be paying with a malware infection.
See: https://redskyalliance.org/xindustry/raccoon-password-stealer-is-back-again
Just as the ransomware landscape comprises core developers and affiliates in charge of identifying potential targets and carrying out the attacks, the information stealer ecosystem also consists of threat actors known as Traffers who are recruited to spread the malware using different methods.
Traffers is from the Russian word “Траффер,” also referred to as “worker,” are cybercriminals responsible for redirecting Internet user's network traffic to malicious content that they operate, this content being malware most of the time. Once created, a Traffer team might evolve and reorganize, merge with other teams or restart from scratch, which makes it difficult to evaluate the longevity of Traffer teams. One such team administrator has indicated it cost him $3,000 to create a Traffer team of 600 people before selling it.
The administrators are also responsible for handling the malware they need, buying licenses to the malware developers and spreading it to the team. The administrators also provide their team members with a kit containing different resources:
- Constantly updated malware files (called “malware builds”) ready for use.
- A crypto service or tool is necessary to encrypt or obfuscate the malware files.
- A manual and guidelines for Traffers.
- A search engine optimization service to improve the visibility and number of connections to their infrastructure.
- A Telegram channel to communicate easily between team members.
- Telegram bots for automating tasks, such as sharing new malware files and creating statistics.
- A dedicated log analysis service to ensure the logs sold by the administrators are valid.
Once recruited, Traffers can get the malware files and distribute via redirections from compromised websites. They are paid based on the quality and quantity of information they collect from the malware they deploy.
Traffers are often challenged into competitions organized by the administrators. The winners get extra cash and access to a professional version of the membership. This access allows them to use a second malware family and get better services and bonuses.
One of the popular malware distribution channels is YouTube, with investigators noting a 200-300% month-over-month increase in videos containing links to stealer malware in the description section since November 2022. These links are often obfuscated using URL shorteners like Bitly and Cuttly or alternatively hosted on MediaFire, Google Drive, Discord, GitHub, and Telegram's Telegram.ph.
In several instances, threat actors leverage data leaks and social engineering to hijack legitimate YouTube accounts and push malware, often targeting popular accounts to reach a large audience quickly. Uploading to such accounts lends video legitimacy as well. Youtubers will report their account taker to YouTube and gain access back to their accounts within a few hours. But hundreds of users could already be victims of the scam in a few hours.
Even more troubling, between five to ten crack download videos are uploaded to the video platform every hour. The threat actors employ Search engine Optimization (SEO) poisoning techniques to make the videos appear at the top of the results. Threat actors have also been observed to add fake comments to the uploaded videos to further mislead and entice users into downloading the cracked software.
This development comes amid a surge in new information stealer variants like SYS01stealer, S1deload, Stealc, Titan, ImBetter, WhiteSnake, and Lumma that are offered for sale and come with capabilities to plunder sensitive data under the guise of popular apps and services. The findings lead to a ready-to-use toolkit called R3NIN Sniffer, enabling threat actors to siphon payment card data from compromised e-commerce websites. To mitigate risks posed by stealer malware, users are recommended to enable multi-factor authentication, refrain from clicking on unknown links, and avoid downloading or using pirated software.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
Comments