In a concerning development, cybersecurity researchers at Cyberreason have uncovered a sophisticated cybercrime operation where attackers take over inactive YouTube channels using old, leaked credentials. These cybercriminals then upload videos promising cracked software, a tactic designed to entrap users into downloading malware.
“The attacker seizes control…by enticing victims with promises of cracked software,” the report details, highlighting a worrying trend of using social media platforms for widespread and cost-effective cyberattacks.
Cybereason report details how an infection flows through YouTube videos.
This operation leverages AI-generated videos, differing significantly from the channels’ original content, to offer malware under the guise of desirable software. For example, an account previously focused on rap music until 2021 unexpectedly began sharing a cracked Adobe Animate version in August 2023, showcasing the stealth and deception involved in these campaigns.
The malware, hidden within downloads promised in video descriptions, ranges from password stealers like Redline, and Raccoonstealer, to Tropicraked. The attackers employ SEO poisoning and manipulate video comments to increase their reach and credibility, exploiting the trust of unsuspecting viewers.
The recent discovery of a video uploaded 13 days ago, offering a Microsoft Office crack, complete with a malicious payload hidden behind shortened links, underscores the sophistication and danger of these attacks. The description contains a Rebrandly link, password-protected, which redirects to the Telegraph URL, concealing the genuine download link. Telegraph facilitates anonymous publishing, and the timestamp suggests activity dating back to November 24, 2022.
A report found YouTube videos with malware-containing Microsoft Office cracked keys. (Source: CyberReason)
Cybereason also identifies a Malicious Operation (MalOp) indicating potential credential theft and data exfiltration. A successful Redline infection provides the threat actor with access, enabling further exploitation and lateral movement within the network.
TropiCracked efficiently exploits a budget-friendly infrastructure, utilizing platforms such as YouTube, Telegraph, and Mediafire to achieve widespread access. This attack, employing compromised YouTube accounts, Redline access, and Google Dorking, is directed at over 800 accounts with minimal cost and technical expertise.
Despite efforts on social media, individuals and organizations must prioritize securing endpoints against such sophisticated attacks.
Users are advised to exercise caution, verify the legitimacy of software downloads, and consider protective measures such as using the best Free VPN Services to enhance their online security posture against such insidious threats.