A new type of cryptocurrency malware is spreading through YouTube, luring users into downloading programs that are intended to steal data from 30 different crypto wallets and browser extensions.
The spyware known as PennyWise, possibly named after the creature in Stephen King’s horror novel “It”, has been under surveillance since May, according to a blog post by cyber intelligence firm Cyble.
Cyble stated:
“Our investigation indicates that the stealer is an emerging threat. In its current iteration, this stealer can target over 30 browsers and cryptocurrency applications such as cold crypto wallets, crypto-browser extensions, etc.”
Chromium and Mozilla browser data, including login information and Bitcoin extension data, were stolen from the victim’s PC. Chat programs like Discord and Telegram can also be used to steal sessions and take screenshots.
According to Cyble, the malware also targets cold crypto-wallets that support Zcash and Ether by searching for wallet files in the directory and transmitting a copy of the data to attackers. These wallets include Armory, Bytecoin, Jaxx, Exodus, Electrum, Atomic Wallet, Guarda, and Coinomi.
The cybersecurity firm warned that YouTube mining tutorial videos posing as free Bitcoin mining software are where the infection is being propagated.
The “Threat Actors,” or hackers, post videos to which they urge viewers to visit the link in the description and download the free software, as well as to turn off their antivirus programs, which makes it possible for the malware to operate successfully.
As of June 30, according to Cyble, the attacker had as many as 80 videos posted to their YouTube channel. The identified channel, nevertheless, has since been deleted.
It Ain’t Safe Out There
According to a Cointelegraph search, there are still smaller YouTube channels with identical virus links that advertise free NFT mining, paid software cracks, free Spotify premium, and game cheats and mods.
A lot of these accounts were only made in the last 24 hours.
A curious feature of the malware is that it is programmed to terminate itself if it determines that the victim is located in Russia, Ukraine, Belarus, or Kazakhstan. Additionally, Cyble discovered that when the malware sends the victim’s stolen timezone data back to the attackers, it transforms it to Moscow Standard Time (MSK).
Malware known as Mars Stealer was discovered to target crypto wallets including MetaMask, Binance Chain Wallet, and Coinbase Wallet that function as Chromium browser extensions in February.
Even “low-skilled” cybercriminals are increasingly deploying malware to steal money from crypto hodlers, according to a January warning from Chainalysis. Cryptojacking accounted for 73% of the total value acquired by malware-related addresses between 2017 and 2021.