News YouTube Bitcoin Scams Pushing the njRAT Backdoor InfoStealer

YouTube Bitcoin Scams Pushing the njRAT Backdoor InfoStealer


- Advertisment -

YouTube scams are promoting software that pretends to allow users to get free Bitcoins, but instead installs the njRAT remote access trojan and password stealer.

These YouTube videos pretend to be hack scripts, giveaways, or games that allow you to win free cryptocurrency such as bitcoins. These videos tend to have the “FREEBITCO IN” string in the title or description, which makes it easy to find the videos that are part of this campaign.

YouTube Bitcoin Scam

YouTube Bitcoin Scam

According to security researcher Frost who discovered this campaign, we should expect to see more of these scam videos as the prices of Bitcoin continue to rise above $10,000.

Included in the description for these videos is a link that leads to a landing page that offers a “Freebitcoins 2019 Update Script” that you need to download and run in order to generate your free Bitcoin.

Scam Landing Page

Clicking on the download button brings you to a free file sharing service, such as SecuFiles below, where you can download the script.  In this particular example the script is named “SCRIPT UPDATE WIN BTC.VBS”.

Downloading Script

As a general word of warning, never download files that end with VBS, JS, or BAT from any file sharing site. There is very high chance that these will be used to install an infection on to your computer.

Infecting users with njRAT

This “SCRIPT UPDATE WIN BTC.VBS” is obfuscated to make it a bit harder to analyze it and determine what it is doing as shown below.

Obfuscated Script

Once deobfuscated,  we can see that it will save an embedded base64 encoded strings as the file Windows.exe and then execute it. This executable is detected as Bladabindi or njRAT.

Deobfuscated Script

When launched, the Windows.exe will connect to a command and control server and send a variety of information such as the PC name, user name, and more. It will then wait for commands given by the attacker that the program will execute.

njRAT Executable

As this infection has the ability to steal browser passwords and log keystrokes, if you are infected by this scam, it should be assumed that your login names and passwords have been compromised. Once the computer is cleaned, you should change your login credentials at any sites you regularly use, especially financial institutions.



Please enter your comment!
Please enter your name here

Latest news

Why could GLBrain become a great solution to receive support during the crisis?

To support smaller and medium-sized businesses during the ongoing crisis, GLBrain offers services cost-free for all Austrians....

Make Fast and Secure Trades Using is a Cryptocurrency trading platform that allows users to buy and sell their Cryptocurrency in a...

Network Security Using Cryptography: Everything you need to know

This article will describe what is Network Security Using Cryptography and everything you need to know before...

Mercuriex Cryptocurrency Exchange Launches New Utility Token, SURF

MercuriEx Cryptocurrency Exchange, originally developed in 2017, came under new ownership in December 2019. Since taking over the exchange,...
- Advertisement -YouTube Bitcoin Scams Pushing the njRAT Backdoor InfoStealer

Fungibility: Bitcoin Mixers Favorite Term That No One Understands

Fungibility, perhaps the most important concept when dealing with a decentralized and anonymous currency, but does bitcoin...

Crypto can’t thrive in the real world – but stablecoins can

We can safely say that the hype about cryptocurrencies is pretty much over. The claims of Bitcoin...

Must read

Make Fast and Secure Trades Using is a Cryptocurrency trading platform that...
- Advertisement -YouTube Bitcoin Scams Pushing the njRAT Backdoor InfoStealerYouTube Bitcoin Scams Pushing the njRAT Backdoor InfoStealer

You might also likeRELATED
Recommended to you