A new scam is underway on YouTube that uses videos to promote a tool that can allegedly generate the private key for a bitcoin address. The attackers then claim this key would then allow you to gain access to the bitcoins stored in the bitcoin address, when in reality the victims will be infected with a password and data stealing Trojan.
This campaign was discovered by security researcher Frost who routinely monitors YouTube videos for cryptocurrency scams that lead to malware, which in this particular case is the Predator the Thief information-stealing Trojan
In this scam, the attacker is uploading videos that promotes a fake bitcoin address private key generator that can be used to steal other people’s bitcoins.
In the video’s description will also be links to download the trojanized program from Yandex, Google Drive, and Mega.
The file being offered is called Crypto World.zip and when extracted contains a setup.exe file, which includes a password-protected ZIP file containing the Predator the Thief executable. This setup.exe file currently has 1/71 detections on VirusTotal.
This setup.exe program is a Trojan that will unzip a file to the .languagetemplatestemp folder as license.exe.
The license.exe file will then be executed and the Predator the Thief information stealing Trojan will be installed and executed on the computer.
Once running, Predator the Thief will communicate with the malware’s command and control server to download further components, other malware, and to send information back to the attackers.
This Trojan can steal a variety of information and passwords from a computer, including copying the victim’s clipboard, recording over the webcam, and stealing files from the victim.
According to Kaspersky, Predator the Thief v3 has the following features and this version may be newer.
Specific document files (Grabber)
If you have been infected with this Trojan, you should immediately change all passwords for your financial accounts, web sites, chat services such as Discord, and gaming services such as Steam and Battle.net.
As always, you should use a password manager in order to create unique and strong passwords for every account you visit and never download programs off of YouTube, especially ones that claim to generate free money or cryptocurrency.