YouTube scams are promoting software that pretends to allow users to get free Bitcoins, but instead installs the njRAT remote access trojan and password stealer.
These YouTube videos pretend to be hack scripts, giveaways, or games that allow you to win free cryptocurrency such as bitcoins. These videos tend to have the “FREEBITCO IN” string in the title or description, which makes it easy to find the videos that are part of this campaign.
YouTube Bitcoin Scam
According to security researcher Frost who discovered this campaign, we should expect to see more of these scam videos as the prices of Bitcoin continue to rise above $10,000.
Included in the description for these videos is a http://bit.ly link that leads to a landing page that offers a “Freebitcoins 2019 Update Script” that you need to download and run in order to generate your free Bitcoin.
Clicking on the download button brings you to a free file sharing service, such as SecuFiles below, where you can download the script. In this particular example the script is named “SCRIPT UPDATE WIN BTC.VBS”.
As a general word of warning, never download files that end with VBS, JS, or BAT from any file sharing site. There is very high chance that these will be used to install an infection on to your computer.
Infecting users with njRAT
This “SCRIPT UPDATE WIN BTC.VBS” is obfuscated to make it a bit harder to analyze it and determine what it is doing as shown below.
Once deobfuscated, we can see that it will save an embedded base64 encoded strings as the file Windows.exe and then execute it. This executable is detected as Bladabindi or njRAT.
When launched, the Windows.exe will connect to a command and control server and send a variety of information such as the PC name, user name, and more. It will then wait for commands given by the attacker that the program will execute.
As this infection has the ability to steal browser passwords and log keystrokes, if you are infected by this scam, it should be assumed that your login names and passwords have been compromised. Once the computer is cleaned, you should change your login credentials at any sites you regularly use, especially financial institutions.