Threat actors use a variety of strategies, such as widespread phishing and technical zero days, to find ways to take advantage of vulnerabilities. On popular websites like social media, social engineering combines with commodity malware to enable rapid, low-cost, and extensive attacks.

Even though they may appear little, these infections—like the malware-posing as cracked software in AI-generated YouTube videos—pose serious hazards to both consumers and companies.

Malware via YouTube Videos

The attacker uses previously disclosed credentials to take over dormant YouTube channels. Then, according to a Cyberreason investigation, they publish a unique short video that deviates from the channel's earlier material by luring people in with the promise of cracked software.

In August 2023, an account that had been focusing on rap music up until that point posted a cracked version of Adobe Animate. Experts take note of the titles' and thumbnails' same layout. Videos combine text over animated backgrounds with voice-to-text and AI-generated content. The size of the audience ranges from 0 to more than 100,000 subscribers.

Threat actors increase the number of video requests by using techniques like SEO poisoning and abundant tagging associated with searches for cracked software. Tags even allude to specific assault efforts by matching the languages of the targeted regions.

By utilizing hacked accounts or suppressing comments to trick victims, threat actors influence video comments to gain confidence.

Videos lead to a description that includes a link to what appears to be cracked software that reads passwords and uses Bitly or Rebrandly link shorteners to hide URLs.

Those who download the malicious payload believing it to be authentic are infected by file-sharing or compromised websites.

Infostealers & Malware Observed

All of the known varieties of malware and information thieves are listed below:

1. Redline
2. Raccoonstealer
3. Tropicraked

Thirteen days ago, a video was published promising a Microsoft Office crack. A password-protected Rebrandly link appears in the description; it hides the real download link and reroutes users to the Telegraph URL. Telegraph facilitates anonymous posting; the link points to MediaFire hosting Setup (PA$S 5577); the timestamp shows activity from November 24, 2022.uncommon.

Although the Setup.exe and the password required to decompress the rar file purport to be Madedisk products, investigation reveals they are malicious. The file is a Smart Assembly.NET-obfuscated.NET binary with a build date of August 30, 2023, according to the file's metadata.

For static analysis, programs like dnSpy and de4dot are necessary. Though Setup.exe runs it by invoking vbc.exe, VirusTotal marks it as Redline. A Finland-based IP address (95.217.14.200) that has been identified as a Redline C2 server is connected to Vbc.exe.

Cybereason finds a possible malicious operation (MalOp) that involves data espionage and credential theft. The threat actor gains access to the network through lateral movement and additional exploitation in the event of a successful Redline infection.

TropiCracked effectively makes use of a low-cost infrastructure for widespread access by leveraging Mediafire, Telegraph, and YouTube. The attack targets over 800 accounts with no expense or technical expertise by using Redline access, compromised YouTube accounts, and Google Dorking.

Even with social media efforts, people and organizations still need to protect their endpoints from these kinds of threats.