News YouTube Bitcoin Scams Pushing the njRAT Backdoor InfoStealer

YouTube Bitcoin Scams Pushing the njRAT Backdoor InfoStealer


- Advertisment -

YouTube scams are promoting software that pretends to allow users to get free Bitcoins, but instead installs the njRAT remote access trojan and password stealer.

These YouTube videos pretend to be hack scripts, giveaways, or games that allow you to win free cryptocurrency such as bitcoins. These videos tend to have the “FREEBITCO IN” string in the title or description, which makes it easy to find the videos that are part of this campaign.

YouTube Bitcoin Scam

YouTube Bitcoin Scam

According to security researcher Frost who discovered this campaign, we should expect to see more of these scam videos as the prices of Bitcoin continue to rise above $10,000.

Included in the description for these videos is a link that leads to a landing page that offers a “Freebitcoins 2019 Update Script” that you need to download and run in order to generate your free Bitcoin.

Scam Landing Page

Clicking on the download button brings you to a free file sharing service, such as SecuFiles below, where you can download the script.  In this particular example the script is named “SCRIPT UPDATE WIN BTC.VBS”.

Downloading Script

As a general word of warning, never download files that end with VBS, JS, or BAT from any file sharing site. There is very high chance that these will be used to install an infection on to your computer.

Infecting users with njRAT

This “SCRIPT UPDATE WIN BTC.VBS” is obfuscated to make it a bit harder to analyze it and determine what it is doing as shown below.

Obfuscated Script

Once deobfuscated,  we can see that it will save an embedded base64 encoded strings as the file Windows.exe and then execute it. This executable is detected as Bladabindi or njRAT.

Deobfuscated Script

When launched, the Windows.exe will connect to a command and control server and send a variety of information such as the PC name, user name, and more. It will then wait for commands given by the attacker that the program will execute.

njRAT Executable

As this infection has the ability to steal browser passwords and log keystrokes, if you are infected by this scam, it should be assumed that your login names and passwords have been compromised. Once the computer is cleaned, you should change your login credentials at any sites you regularly use, especially financial institutions.



Please enter your comment!
Please enter your name here

Latest news

Ethereum Price Sees $500 for the First Time in Two-and-a-half Years

First launched in 2014, Ethereum or Ether is one of the oldest altcoins and probably the most...

Banking Sector is Ready for a Tech Revolution With Cryptocurrency

When our world is going through a massive change due to COVID-19blow, it is very likely that...

OpenDAO’s Bridge Opens New Possibility for Mass Adoption of DeFi

When Satoshi Nakamoto officially created Bitcoin on January 3, 2009, his vision for the digital asset was...

Crypto’s price surge was mostly due to limited information – here’s why

As the world becomes more and more digitized, the usage of one of the most popular cryptocurrencies,...
- Advertisement -

U.S. Authorities Seized Bitcoin Worth a Total of $1 billion

The cryptocurrencies were in the possession of a person who had hacked Silk road, which was detected...

Top 12 BEST Crypto Trading Bots for 2020

TL;DR: In this article, we present a list of the best Crypto Trading Bots of 2020. If...

Must read

- Advertisement -

Read Next
Recommended to you