Threat actors are distributing a new YouTube bot malware that can artificially boost the rankings of videos on YouTube and steal sensitive information from browsers. The bot receives commands from the C2 server for other malicious activities.

About the malware

  • Cyble researchers found that the YouTube bot malware is distributed as a 32-bit executable file compiled with .NET compiler. 
  • Four argument strings including the video ID, video duration, like, and comment, are required to run the executable file.

Modus Operandi

  • Upon execution, the malware performs an AntiVM check to prevent malware detection and analysis by researchers in a virtual environment.
  • If it determines that it is running in a controlled environment, it terminates the execution. Otherwise, it will proceed to perform the tasks specified in the argument strings.
  • Further, the malware creates mutex and copies itself to the %appdata% folder under the name AvastSecurity.exe and runs it using cmd.exe.
  • The new mutex assists in establishing persistence and creates a task scheduler entry. 
  • The AvastSecurity.exe file collects cookies, autofill, and login data from the installed Chromium browsers on the victim’s system.
  • Finally, the malware calls the YouTube Playwright function by passing the previously mentioned arguments along with the browser path and cookie information to view the specified video.

What more?

  • YouTube bot launches the browser context with the parameters and uses YouTube Playwright function for automating tasks such as viewing, liking, and commenting on YouTube videos. The function relies on Microsoft.Playwright package.
  • The malware connects to a C2 server and receives commands to delete the scheduled task entry and terminate its own process, extract log files to the C2 server, download and execute other files, and start/stop viewing a YouTube video.
  • In addition, it checks if the victim’s system has the necessary dependencies, such as the Chrome browser and the Playwright package installed. If these dependencies are absent, it will download and install them when it receives the ‘view’ command.

The elephant in the room

The recently found YouTube bot malware unfairly boosts the ranking of YouTube videos and steals sensitive information from the victim's systems. It is capable of downloading additional files from C2 servers which makes it an even bigger concern. Content creators are suggested to avoid the use of bots for video boosting.
Cyware Publisher