Our recent investigation has shown a concerning trend where cybercriminals are supposedly acquiring popular YouTube channels to spread malware disguised as cheat tools and software cracks.
These criminals specifically target channels with large followings, including those with over a million subscribers on social media account marketplaces.
There has been a significant increase in the use of YouTube for distributing malware. Are hackers are now acquiring established channels instead of stealing them?
Previously, hackers were forcefully taking control of channels with big followings. AhnLab Security, the first to discover this trend, has mentioned that certain channels, which boast over 800,000 subscribers, have fallen victim to compromise.
Malware distribution often occurs through the exploitation of web services. Users often unknowingly download programs that they think are legitimate, but in reality, these programs may contain illegal software like game hacks, cracks, and keygens.
Hackers often deceive users by creating websites that seem to offer these programs, but in reality, they distribute harmful malware. Consequently, users unwittingly download and run these harmful files, which then infect their systems.
YouTube has become a popular platform for these activities, as threat actors often include malware download links in video descriptions, comments, and even within the videos.
Since then, this method has been utilized to distribute Infostealers such as RedLine, BlackGuard, and RecordBreaker.
AhnLab Security points out that in the past, channels used by hackers had a limited number of subscribers due to the fact that the threat actors themselves created them
One common attack method is to upload videos about cracked versions of popular software, such as Adobe. These videos often include download links in the description or comments.
The malware is commonly found on MediaFire and compressed with password protection to avoid being detected by security measures. After being decompressed, these files expose malware that cleverly masquerades as genuine installers.
Are cybercriminals buying channels now?
We recently came across a new case involving a Pakistani lifestyle blog channel (Hafiz Naveed Official) that is previously listed for sale on Accs-market.com, a popular marketplace for buying and selling social media accounts.
It is still unclear whether cybercriminals purchased or illegally obtained the account. After gaining control, they swiftly remove any previous videos and inundate the channel with numerous deceptive cheat tools that are, in reality, harmful malware installations.
Just days after its acquisition, this channel already boasts over 950 video uploads of alleged cheats. The malicious download link is often placed in the comments section as posting links in the video and description necessitates ID verification.
Hackers often manipulate the comments sections of popular videos, where they fill them with comments praising the cheat trainer and expressing gratitude towards the channel. This strategy deceives viewers into thinking they are downloading a genuine cheat.
All uploaded videos have the same download link. When you open it, you'll find some files and folders that seem like mods, but they're not actually connected to the Setup.exe, which is the main part of the program. The malware includes Lumma stealer and coin miners like XMRig. (Any Run) (VirusTotal)
The malicious files executes a series of activities, such as manipulating files, modifying the registry, creating scheduled tasks, and downloading potentially harmful files through HTTP requests.
This harmful YouTube trend is expected to continue its momentum, thanks to the billions of people who watch YouTube videos and its high ranking on Google searches, making it more accessible for viewers.
Furthermore, these cybercriminals have the ability to create numerous videos within a short period of time in order to target user computers.
In the event that they are caught and an account is banned, they will easily find another prominent account, either by purchasing one or by exploiting stolen data from individuals who unknowingly downloaded their malware.