- These YouTube promotion videos pretend to be giveaways or games that allow you to win free bitcoins.
- This campaign actually installs the njRAT which is capable of stealing username, browser credentials, and keystroke logging.
What is the issue?
A security researcher named Frost uncovered the YouTube scam campaign that promotes malicious software that offers free Bitcoins. However, this campaign actually installs the njRAT.
More details about the scam
These YouTube promotion videos pretend to be giveaways or games that allow you to win free bitcoins. These videos include the “FREEBITCO IN” string in the title or description.
- The description of the videos includes a http://bit.ly link that redirects users to a landing page that offers a “Freebitcoins 2019 Update Script”.
- This script needs to be downloaded and run in order to claim your free Bitcoin.
- Once users click on the ‘Download’ button to download the script, it redirects users to free file sharing service, where they can download the script ‘SCRIPT UPDATE WIN BTC.VBS’.
- This VBS file is obfuscated. Once users deobfuscate the file, it will save an embedded base64 encoded strings as an executable file.
- This executable is the njRAT. Once executed, njRAT will collect system information and sends it to its C&C server.
- njRAT is capable of stealing username, browser credentials, and keystroke logging.
The bottom line
It is recommended to never download files that end with VBS, JS, or BAT from any file sharing site as these files are widely used to install trojans.