A new type of cryptocurrency malware is spreading through YouTube, luring users into downloading programs that are intended to steal data from 30 different crypto wallets and browser extensions. The malware called “PennyWise”—likely named after the monster in the horror novel “It”—had been tracked since May, according to a blog post by cyber intelligence firm Cyble. The blog post stated:
“Our investigation indicates that the stealer is an emerging threat.”
According to the report, the attacker can currently target over 30 browsers as well as bitcoin applications like cold wallets, browser extensions, etc.
Cyble analyzes Pennywise, an infostealer that targets over 30 browsers and cold crypto-wallets and leverages YouTube to spread itself.https://t.co/ZXZD8gkNs1#Threatintel #cybercrime #Infostealer #Cryptocurrency #YouTube pic.twitter.com/Mj9sjbuS4y
— Cyble (@AuCyble) June 30, 2022
Chromium and Mozilla browser data, including login information and Bitcoin extension data, were reportedly stolen from the victim’s PC. The attacker can also use social media applications like Discord and Telegram to steal sessions and take screenshots.
In addition, Cyble reveals that the malware targets cold crypto-wallets that support Zcash and Ethereum by scanning the directory for wallet files and transmitting copies of those files to the attackers. These wallets include Armory, Bytecoin, Jaxx, Exodus, Electrum, Atomic Wallet, Guarda, and Coinomi.
How does malware use YouTube?
The cybersecurity company explained that the attacker is entering into systems by spreading malware via YouTube mining education videos that share so-called free Bitcoin mining software in their description boxes. The “Threat Actors,” produce videos in which they direct viewers to click the link in the description and download the free software while simultaneously enticing them to turn off their antivirus programs, which makes it possible for the malware to operate successfully.
As of June 30, according to Cyble, the attacker had up to 80 videos on their YouTube channel; however, the detected channel has since been deleted.
Cybercrimes in the crypto world have become very common due to the lack of clear regulatory structures and decentralized nature. In February this year, as TheCooinRise reported, crypto exchange giant Binance joined the NCFTA or National Cyber-Forensics and Training Alliance to help combat cybercrime.
Moreover, the blockchain analysis company Chainalysis in January also talked about a low-profile malware that was stealing millions at the time.