News YouTube Bitcoin Scams Pushing the njRAT Backdoor InfoStealer

YouTube Bitcoin Scams Pushing the njRAT Backdoor InfoStealer


- Advertisment -

YouTube scams are promoting software that pretends to allow users to get free Bitcoins, but instead installs the njRAT remote access trojan and password stealer.

These YouTube videos pretend to be hack scripts, giveaways, or games that allow you to win free cryptocurrency such as bitcoins. These videos tend to have the “FREEBITCO IN” string in the title or description, which makes it easy to find the videos that are part of this campaign.

YouTube Bitcoin Scam

YouTube Bitcoin Scam

According to security researcher Frost who discovered this campaign, we should expect to see more of these scam videos as the prices of Bitcoin continue to rise above $10,000.

Included in the description for these videos is a link that leads to a landing page that offers a “Freebitcoins 2019 Update Script” that you need to download and run in order to generate your free Bitcoin.

Scam Landing Page

Clicking on the download button brings you to a free file sharing service, such as SecuFiles below, where you can download the script.  In this particular example the script is named “SCRIPT UPDATE WIN BTC.VBS”.

Downloading Script

As a general word of warning, never download files that end with VBS, JS, or BAT from any file sharing site. There is very high chance that these will be used to install an infection on to your computer.

Infecting users with njRAT

This “SCRIPT UPDATE WIN BTC.VBS” is obfuscated to make it a bit harder to analyze it and determine what it is doing as shown below.

Obfuscated Script

Once deobfuscated,  we can see that it will save an embedded base64 encoded strings as the file Windows.exe and then execute it. This executable is detected as Bladabindi or njRAT.

Deobfuscated Script

When launched, the Windows.exe will connect to a command and control server and send a variety of information such as the PC name, user name, and more. It will then wait for commands given by the attacker that the program will execute.

njRAT Executable

As this infection has the ability to steal browser passwords and log keystrokes, if you are infected by this scam, it should be assumed that your login names and passwords have been compromised. Once the computer is cleaned, you should change your login credentials at any sites you regularly use, especially financial institutions.



Please enter your comment!
Please enter your name here

Latest news

Yield Farming Program “Volcano” Kicks off Dutch Auction for Cryptokitties KittieFIGHT Game

In the fall of 2017, along with the rallying of Bitcoin and other digital assets, Cryptokitties dominated...

Ministry of Foreign Affairs of Denmark may use Blockchain to tackle corruption

We have already moved to the stage in our lives where technology plays an important role in...

What Lessons Can The World Learn From Venezuela’s Newfound Love For Crypto?

It is often the case that great changes are forced out of necessity, rather than a willingness...

How Bitcoin Capitalization Affected In 2020 on the Quarantine Background

Although the weeks of quarantining are gradually easing off, the impact of dealing with the deadly coronavirus...
- Advertisement -

Seamless Crypto Exchange HolyTransaction Allows Gridcoin Staking

In today’s world, the time value of money is very important and everyone likes to earn a...

How to Use Big Data Analytics Against Rising Cyber Security Attacks?

Big data and big data analytics have many implications across verticals. The use cases range from optimizing...

Must read

- Advertisement -

Read Next
Recommended to you