PennyWise malware on YouTube targets cryptocurrency wallets and browsers

2022-07-05 13:48

The malware pretends to be a free Bitcoin mining application, which advertises and can be downloaded via a Youtube video.

In an additional attempt to appear more legitimate, the threat actor adds a link to VirusTotal which shows antivirus results for a clean file that is not the malware.

Figure B. The archive file contains an installer for PennyWise, which executes it before the malware starts communicating with its command and control server.

More checks are done to determine what antivirus or sandbox might be running, and the malware checks a predefined list of process names related to analysis tools such as wireshark, fiddler and tcpview.

The malware only steals RTF, DOC, DOCX, TXT and JSON files smaller than 20kb. The files are saved in a folder "Grabber" in the hidden folder infrastructure created by the malware.

All known browser data is stolen if the malware detects a browser it knows, including login credentials, cookies, encryption keys and master passwords.

News URL

https://www.techrepublic.com/article/pennywise-malware-youtube-crypto/

#browser #cryptocurrency #malware #wallets #youtube

News URL

Related news