Image: Kaspersky
In a concerning development, cybercriminals have leveraged the influence of YouTubers to distribute malware disguised as a restriction bypass tool. According to a recent report by Kaspersky Labs, attackers have been using fraudulent copyright claims and blackmail to coerce content creators into sharing links to infected software. This campaign, which primarily targets Russian users, has already affected thousands of victims.
Over the past six months, Kaspersky has detected more than 2.4 million instances of Windows Packet Divert drivers being used to intercept and modify network traffic. While legitimate, this technology has been increasingly abused by cybercriminals to deploy malware under the guise of restriction bypass programs. These fraudulent tools are distributed in archive formats, accompanied by text-based installation instructions advising users to disable their security solutions.
Kaspersky notes that attackers play into the hands of victims by recommending that they turn off their antivirus software, citing false positives. This technique enables malware to persist undetected on infected systems, allowing for prolonged exploitation.
A particularly alarming tactic involves blackmailing YouTubers into distributing malware-laced software. According to Kaspersky, “one of the infection channels was a YouTuber with 60,000 subscribers, who posted several videos with instructions for bypassing blocks, adding a link to a malicious archive in the description.” The videos reached over 400,000 views before the YouTuber edited the description to state that the program “does not work.”
The malicious link pointed to a website named gitrok[.]com, which hosted the infected archive. At the time of detection, the site had logged over 40,000 downloads, indicating a significant number of potential victims.
In addition to using unsuspecting influencers, cybercriminals posed as developers of the restriction bypass tool and filed copyright claims against legitimate videos providing bypass instructions. They then pressured YouTubers to either share malicious links or risk the shutdown of their channels.
The malware, named SilentCryptoMiner, is a highly stealthy variant based on XMRig, an open-source cryptocurrency miner. The infection process follows multiple steps:
- Initial Installation: The malicious archive contains an altered installation script (general.bat) that executes a secondary payload using PowerShell.
- Loader Execution: A Python-based loader is executed, retrieving the next-stage malware from domains such as canvas[.]pet or swapme[.]fun.
- System Evasion: The malware scans the system for virtual machine indicators, modifies security settings, and excludes the AppData directory from Microsoft Defender’s scans.
- Persistence Mechanism: The malware establishes itself as a Windows service named DrvSvc, mimicking a legitimate Windows Image Acquisition (WIA) service.
- Crypto Mining Deployment: The miner injects its code into a legitimate Windows process (dwm.exe) using process hollowing. The mining activity halts if monitoring programs like Task Manager or Process Hacker are detected.
- Remote Control and Stealth: The miner receives remote configuration updates every 100 minutes, leveraging Pastebin to store settings, and encrypts its configuration using AES-CBC.
Kaspersky’s telemetry suggests that over 2,000 confirmed victims in Russia have been affected, with the real number likely much higher. Notably, the malicious payload can only be downloaded from Russian IP addresses, reinforcing that the campaign is region-specific.
The malware’s persistence and ability to evade detection make it particularly dangerous. By manipulating influencers into unknowingly spreading the malware, cybercriminals have found an effective way to reach a large audience while bypassing traditional security measures.
Related Posts:
- EU wants to filter all code uploaded to the Internet
- Cryptocurrency Malware: The Hidden Threat Lurking on YouTube
- Hackers changed and removed a lot of popular music videos on Youtube
