An independent IS researcher discovered a fraudulent campaign on YouTube, which spreads the spyware Trojan Predator the Thief (also known as Predator). The Trojan attacks easy-earners and cryptocurrency hunters.Attackers masks the malware as cryptocurrency mining, trading and financial management programs, and even promise users access to other people’s BTC wallets.
The first video appeared on the channel in December 2018. Over the time of existence, the account scored 25 thousand views, of which 11 thousand accounted for the video about the “free Bitcoin generator”. In the video, the user inserts certain characters into the source code of the page on the cryptocurrency management site. After that, the amount of money in the wallet on the screen starts to grow.
In second place by the number of views is a guide to working with a program that supposedly allows pulling cryptocurrency from any BTC and ETH wallets.
“Users just enter the desired amount and address of the sender. After paying the transaction fee, the money will come to the specified wallet”, – assure scammers.
In addition to obviously fraudulent programs, the channel promotes several supposedly legitimate utilities – mostly bots for traders. Under all published videos added identical links to several file-sharing services. They lead to a ZIP archive with three folders and a setup.exe file. This is the payload – the Predator infostiller trojan.
For the first time information security specialists noticed this malware in October 2018, when an independent researcher with the nickname fumik0 spoke about Predator.
Predator is a relatively primitive spy. Its creators sell the program on underground sites for $30 – less than the competing Vidar and HawkEye.
For this money, customers get the opportunity to steal passwords, cookies, payment and credentials from more than 25 browsers, as well as record video from a webcam. Attackers also promise keylogging, but in fact Predator only steals the clipboard.
“This malware can threaten private users and small companies as it is not able to bypass corporate level protection. The main feature of the Trojan is regular updates, so antivirus solutions may not recognize the threat in the next version of Predator“, – say security experts.
To complicate the detection even more, the creators of the malware obfuscated its code and added some protective functions. Therefore, before starting work, the spy checks the name of the video card and the list of loaded DLLs. Thus, Predator determines that it is in the sandbox.
Attackers have long been using YouTube to promote malware. In 2018, many videos were discovered on video hostings, in which gamers allegedly installed Fortnite online shooter on Android smartphones. Later, fans of Apex Legends suffered similar attacks – criminals promised them the opportunity to run the game on mobile devices, although it only works on Windows, PlayStation 4 and Xbox One. Users who followed the instructions of fraudsters received unwanted applications on their devices.
How to avoid becoming a victim of scammers?
Information security specialists remind users of the dangers of unknown programs, especially if they are promoting it as a means of quick moneymaking.
Victims of Predator urgently need to change passwords on social networks and payment services, as well as gaming platforms like Steam and Battle.net – such resources are increasingly becoming a desirable target for cybercriminals.