Malware Disguised as YouTube Bot Steals Sensitive Data

About the malware

• Cyble researchers found that the YouTube bot malware is distributed as a 32-bit executable file compiled with .NET compiler. 
• Four argument strings including the video ID, video duration, like, and comment, are required to run the executable file.

Modus Operandi

• Upon execution, the malware performs an AntiVM check to prevent malware detection and analysis by researchers in a virtual environment.
• If it determines that it is running in a controlled environment, it terminates the execution. Otherwise, it will proceed to perform the tasks specified in the argument strings.
• Further, the malware creates mutex and copies itself to the %appdata% folder under the name AvastSecurity.exe and runs it using cmd.exe.
• The new mutex assists in establishing persistence and creates a task scheduler entry. 
• The AvastSecurity.exe file collects cookies, autofill, and login data from the installed Chromium browsers on the victim’s system.
• Finally, the malware calls the YouTube Playwright function by passing the previously mentioned arguments along with the browser path and cookie information to view the specified video.

What more?

• YouTube bot launches the browser context with the parameters and uses YouTube Playwright function for automating tasks such as viewing, liking, and commenting on YouTube videos. The function relies on Microsoft.Playwright package.
• The malware connects to a C2 server and receives commands to delete the scheduled task entry and terminate its own process, extract log files to the C2 server, download and execute other files, and start/stop viewing a YouTube video.
• In addition, it checks if the victim’s system has the necessary dependencies, such as the Chrome browser and the Playwright package installed. If these dependencies are absent, it will download and install them when it receives the ‘view’ command.

The elephant in the room