CloudSEK researchers have detected an increase of 200-300% month-on-month in YouTube videos containing links to stealer malware such as Vidar, RedLine, and Raccoon in their descriptions since November 2022.
These videos pretend to be tutorials on downloading cracked versions of licensed software, such as Adobe Photoshop, Premiere Pro, Autodesk 3ds Max, AutoCAD, and others, available only to paid users.
Threat actors are using various tactics to spread the malicious software, including screen recordings, audio walkthroughs, and, more recently, AI-generated personas, which appear more trustworthy and familiar to users.
AI-generated videos featuring synthetic personas are on the rise, used in various languages and platforms for recruitment, education, and promotional purposes. Unfortunately, threat actors have also adopted this tactic.
Infostealers are malicious software designed to steal sensitive information from computers, such as passwords, credit card information, bank account numbers, and other confidential data. Infostealers are spread via malicious downloads, fake websites, and YouTube tutorials. They infiltrate systems and steal information, which is uploaded to the attacker’s Command and Control server.
YouTube is a popular platform with over 2.5 billion active monthly users, making it an easy target for threat actors. CloudSEK has observed a 2 to 3 times month-on-month increase in the number of videos spreading stealer malware on YouTube. Threat actors use a variety of tactics to deceive the platform’s algorithm and review process, such as using region-specific tags, adding fake comments to give the videos legitimacy, and frequent video uploads to compensate for deleted or taken-down videos.
“The threat of infostealers is rapidly evolving and becoming more sophisticated, leaving users vulnerable to devastating consequences. In a concerning trend, these threat actors are now utilizing AI-generated videos to amplify their reach, and YouTube has become a convenient platform for their distribution. As a result, it is absolutely critical that users exercise extreme caution when downloading software and avoid any suspicious links or videos at all costs,” said Pavan Karthick, a CloudSEK researcher.
Automated and Frequent Video Uploads of Malicious Content on YouTube
CloudSEK research shows that 5-10 crack software download videos with malicious links are uploaded to YouTube every hour. The videos contain deceptive tactics that mislead users into downloading malware, making it challenging for the YouTube algorithm to identify and remove them.
A popular Youtuber whose account was flooded with crack download videos
SEO Optimization using Region-Specific Tags and Obfuscated Links
The threat actors use SEO optimization with region-specific tags and obfuscated links to make these malicious videos appear more credible. Using random keywords in different languages, the YouTube algorithm recommends the videos, making them more accessible to users. Additionally, URL shorteners and links to file hosting platforms, such as bit.ly, and cutt.ly mediafire.com, make it difficult for users to detect malicious links.
Fake Comments and AI-generated Videos
The threat actors also add fake comments to give the legitimacy of the video. These comments trick users into believing the malware is legitimate. Moreover, using AI-generated videos featuring personas that appear more familiar and trustworthy is a growing trend among threat actors.
The Way Forward
Traditional string-based rules will prove ineffective against malware that dynamically generates strings and/or uses encrypted strings. Therefore, organizations need to adopt adaptive threat monitoring to address constantly changing threats. Closely monitoring threat actors’ tactics, techniques, and procedures is crucial to identifying potential threats. It is also essential to conduct awareness campaigns and equip users to detect and prevent potential threats. Additionally, users should enable multi-factor authentication, refrain from clicking on unknown links and emails, and avoid downloading or using pirated software.