By Michael Scott
Kaspersky security research revealed cybercriminals’ evolving tactics to coerce YouTube influencers to push crypto malware.
Criminal actors are now blackmailing YouTube content creators to integrate malicious crypto-mining malware into the videos. The hackers are leveraging Windows Packet Divert drivers, allowing internet users to overcome the geographic blocking and restrictions.
Are YouTube Creators New Conduit for Malware?
Kaspersky security researcher disclosed that the increased presence of drivers on 2.4 million devices was detected. The research shows that the Kaspersky system has increased monthly downloads since September.
The popularity of the Packet Divert drivers is evident in YouTube videos elaborating on how to download and install them. The research outlines the criminals have discovered insertion tactics targeting links to the SilentCryptoMiner malware within the descriptions of such YouTube videos.
Kasperky highlights that filing a copyright strike against the YouTube video is a common tactic. The criminals then contact the creator, alleging they are the original developers behind the driver discussed.
Kaspersky reveals that criminals have reached a YouTuber with 60,000 subscribers. They ultimately added malicious links to the videos with over 400,000 views. The offending links directed viewers to the infected archive rather than the legitimate repository, such as GitHub, racking up over 40,000 downloads.
Cybercriminals New Tactic
Kaspersky projects that criminals threaten content creators with copyright strikes and take down videos. The move has facilitated infection of some 2,000 devices in Russia with the crypto-mining malware. The security company indicates the number could rise given the other campaigns unveiled in Telegram channels.
Kaspersky’s security researcher, Leonid Bezvershenko, noted that though criminals have deployed crypto-mining malware, the move to pressure creators with false copyright complaints appears more aggressive and unique. He observes that cybercriminals are evolving rapidly from the typical threats targeting miners and info after leveraging social platforms to distribute malware.
Vigilance a Necessity
Bezvershenko illustrates that coercing influencers capitalizes on the trust YouTubers have with their audience and subscribers to launch large-scale infection opportunities. The cybersecurity specialist adds that SilentCryptoMiner mining malware utilizes the popular open-source miner XMRig, targeting Ethereum, Ravencoin, Ethereum Classic, and Monero tokens.
The malware infiltrates the device system via the hollowing process, allowing the originators to control it remotely. The actors can halt mining whenever the original system procedure becomes active.
The specific campaign has claimed most victims in Russia, with the malware itself primarily available to Russian-based IP addresses. Bezvershenko confirms that the attackers’ destination is inspired by where they perceive opportunities.
The discovery of the new campaign coincides with the crypto-mining viruses becoming widespread malware. The Center for Internet Securing (CIS) ranked CoinMiner second as the most visible malware in 2024, trailing drive-by downloader SocGholish.
Kaspersky researchers had flagged a complex cross‐platform malware campaign targeting the crypto wallet recovery process via malicious mobile apps early last month. The report revealed the “SparkCat” campaign using the malicious software development kit (SDK) integrated within the modified messaging apps and applications to scan the crypto users’ image galleries to steal sensitive recovery data.
Kaspersky, late last month, warned of crypto-stealing malware deployed via fake GitHub repositories. The hackers target the software developers with the cybercriminals uploading fake projects to deceive victims. The research shows actors falsified represent the repositories that appear legitimate to the potential targets.
Further discovery by ReversingLabs researchers in December last year illustrated increased insertions of crypto-mining malware into the open-source coding packages. The cybersecurity research firm observed that the attackers target hundreds of thousands in weekly downloads.
Kaspersky urges that with cybercriminals evolving daily, general web users should remain vigilant and verify the download sources. However, the security firm admitted that it is difficult for the developers to avoid the legitimate-yet-infected coding packages.
Bezvershenko urges YouTube content creators to exercise caution and check for additional security when the guide asks to turn off the antivirus or indicates the file is completely safe.