Sophisticated Phishing Campaign Targeting Chinese Users with ValleyRAT and Gh0st RAT
Chinese-language speakers have been increasingly targeted as part of multiple email phishing campaigns that aim to distribute various malware families such as Sainbox RAT, Purple Fox, and a new trojan called ValleyRAT.
"Campaigns include Chinese-language lures and malware typically associated with Chinese cybercrime activity," enterprise security firm Proofpoint said in a report shared with The Read More
The Hacker News | #1 Trusted Cybersecurity News Site
Android GravityRAT malware now steals your WhatsApp backups
A new Android malware campaign spreading the latest version of GravityRAT has been underway since August 2022, infecting mobile devices with a trojanized chat app named ‘BingeChat,’ which attempts to steal data from victims’ devices. […] Read More
Hackers Exploit YouTube Videos to Deliver Password Stealing Malware
[[{“value”:”
Threat actors hunt for ways to exploit vulnerabilities by employing tactics from technical zero-days to broad phishing.
Social engineering blends with commodity malware on high-traffic sites, like social media, that allows quick, cheap, and widespread attacks.
Despite seeming trivial, these infections, such as AI-generated videos on YouTube offering malware disguised as cracked software, pose significant risks to users and organizations.
Live attack simulation Webinar demonstrates various ways in which account takeover can happen and practices to protect your websites and APIs against ATO attacks
.
Malware ViaYouTube Videos
The attacker seizes control of inactive YouTube channels using leaked old credentials. Then, they upload a distinct short video that differs from the channel’s previous content by enticing victims with promises of cracked software, reads Cyberreason report.
Example Of Uniform Uploads Across Channels (Source – Cybereason)
An account focused on rap music till 2021 suddenly shared a cracked Adobe Animate version in August 2023. Experts notice the consistent layout of thumbnails and titles.
Videos use AI-generated content, mixing voice-to-text and text on animated backgrounds. Audience size varies from zero to over a hundred thousand subscribers.
Compromised Account With Large Following (Source – Cybereason)
Threat actors boost video requests with tricks like SEO poisoning, adding tons of tags related to cracked software searches. Tags even match the languages of targeted regions by hinting at localized attack campaigns.
Tags Used For SEO Poisoning (Source – Cybereason)
Threat actors manipulate video comments for trust by using compromised accounts or disabling comments to trap victims.
Videos guide to a description with a link to alleged cracked software that accesses passwords and masks URLs via link shorteners like Rebrandly or Bitly.
The malicious payload on file-sharing or compromised sites infects victims who download thinking it’s legit.
Infostealers & Malware obersved
Here below, we have mentioned all the types of info stealers and malware that are observed:-
The latest video promises Microsoft Office crack, uploaded 13 days ago. The description has a Rebrandly link with a password, and the link redirects to the Telegraph URL by hiding the actual download link.
Telegraph allows anonymous publishing, and the timestamp indicates activity since November 24, 2022; the link leads to MediaFire hosting Setup (PA$S 5577).rar.
Mediafire Download Link (Source – Cybereason)
While the password needed to decompress the rar file and the Setup.exe claims to be a Makedisk product, but analysis confirms it’s malicious.
The file’s metadata reveals it’s a Smart Assembly .NET-obfuscated .NET binary with a compile date of August 30, 2023. Tools like de4dot and dnSpy are needed for static analysis.
The VirusTotal flags it as Redline, but Setup.exe executes it by triggering vbc.exe. Vbc.exe connects to a Finland-based IP (95.217.14.200) which was flagged as a Redline C2 server.
Attack Tree (Source – Cybereason)
Cybereason detects a Malicious Operation (MalOp) with potential credential theft and data exfiltration. A successful Redline infection grants the threat actor access by allowing further exploitation and lateral movement within the network.
TropiCracked efficiently exploits a cost-effective infrastructure using YouTube, Telegraph, and Mediafire for broad access.
The attack, by leveraging compromised YouTube accounts, Redline access, and Google Dorking, targets over 800 accounts with minimal cost and technical skill.
Despite social media efforts, individuals and organizations must secure endpoints against such attacks.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.