YouTube BitCoin Videos Pushing Predator Info-Stealing Trojan

A new scam is underway on YouTube that uses videos to promote a tool that can allegedly generate the private key for a bitcoin address. The attackers then claim this key would then allow you to gain access to the bitcoins stored in the bitcoin address, when in reality the victims will be infected with a password and data stealing Trojan.

This campaign was discovered by security researcher Frost who routinely monitors YouTube videos for cryptocurrency scams that lead to malware, which in this particular case is the Predator the Thief information-stealing Trojan

In this scam, the attacker is uploading videos that promotes a fake bitcoin address private key generator that can be used to steal other people’s bitcoins.

Uploaded Videos

In the video’s description will also be links to download the trojanized program from Yandex, Google Drive, and Mega.

Video Promoting Trojan

The file being offered is called Crypto World.zip and when extracted contains a setup.exe file, which includes a password-protected ZIP file containing the Predator the Thief executable.  This setup.exe file currently has 1/71 detections on VirusTotal.

CryptoWorld.zip files

This setup.exe program is a Trojan that will unzip a file to the .languagetemplatestemp folder as license.exe.

Extracting Predator the Thief installer

The license.exe file will then be executed and the Predator the Thief information stealing Trojan will be installed and executed on the computer.

Once running, Predator the Thief will communicate with the malware’s command and control server to download further components, other malware, and to send information back to the attackers.

Predator Network Traffic

This Trojan can steal a variety of information and passwords from a computer, including copying the victim’s clipboard, recording over the webcam, and stealing files from the victim.

According to Kaspersky, Predator the Thief v3 has the following features and this version may be newer.

Location Data stolen
Games Osu
Battle.net
FTP WinSCP
VPN NordVPN
2FA Authy
Messengers Pidgin
Skype
Operating System Webcam
HWID
Clipboard
Specific document files (Grabber)
Project filenames*
Browsers IE/Edge

If you have been infected with this Trojan, you should immediately change all passwords for your financial accounts, web sites, chat services such as Discord, and gaming services such as Steam and Battle.net. 

As always, you should use a password manager in order to create unique and strong passwords for every account you visit and never download programs off of YouTube, especially ones that claim to generate free money or cryptocurrency.



Source

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Must Read