YouTube bot and BitRAT malware trick users to steal sensitive information

SISA Weekly Threat Watch - 09 January 2023

Commercial off-the-shelf RATs and malware have evolved their methods of spreading and infecting their victims’ systems. This includes increasing the usage of legitimate infrastructure to host payloads and extract sensitive data. This week too, threat actors used trusted connections such as YouTube, Google AdWords, and payment wallets to lure victims and gain access to critical environments.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. New YouTube bot malware spotted stealing user’s sensitive information

Threat actors are disseminating a new YouTube bot malware that can increase videos’ rankings on the site artificially and collect confidential data from browsers. Researchers discovered that the virus is disseminated as a 32-bit executable file created using the .NET compiler. The malware runs an AntiVM check as soon as it is executed to prevent researchers’ attempts to detect and analyze malware in a virtual environment.

The new mutex created by malware creates a task scheduler entry and aids in ensuring persistence. To automate actions like watching, liking, and commenting on YouTube videos, the YouTube bot launches the browser context with the specified settings. The malware establishes a connection to a C2 server and gets instructions to erase the entry for the scheduled task and end its own process, extract log files to the C2 server, download and run other files, and begin or stop watching a YouTube video. It is recommended to block URLs like Torrent/Warez, deploy a Data Loss Prevention (DLP) solution, and enforce multi-factor authentication (MFA) wherever possible to prevent data compromise.

2. Hackers steal $8 million from users running trojanized BitKeep apps

After hackers triggered transactions that did not require verification, multiple BitKeep crypto wallet users reported that their wallets were emptied during Christmas. According to the platform, the incident has affected users who downloaded an unofficial version of the BitKeep app. It is suspected that some APK package downloads have been hijacked by hackers and installed with code implanted by hackers. It has been estimated that around $8 million worth of assets have been stolen so far.

Bitkeep warns that any wallet addresses created using the malicious APK should be treated as compromised. It is advised to download the official apps from Google Play or App Store only. For those who downloaded the trojanized APK package, Bitkeep has recommended to move all their funds to the official store after downloading the official apps from Google Play or App Store, and to create a new wallet address and move all their funds to it.

3. Google’s AdWords massively abused by threat actors

Researchers have discovered a malvertising campaign that targets people looking for popular software using Google Ads. This campaign is known as MasquerAds and is suspected to be the work of threat actor Vermux. The campaign tries to distribute corrupted copies of well-known applications that install harmful payloads on the user’s computer, including information-stealing malware like Raccoon Stealer and Vidar.

This campaign’s threat actors employed domains with misspelt names that showed up first in Google search results. When the “disguised” sites are accessed by targeted users, the server immediately directs them to the rogue site, where they can then access the malicious payload, which is frequently concealed inside trusted file-sharing and code-hosting servers like GitHub, Dropbox, Discord’s CDN, etc. Being cautious of modest changes to domains along with conducting awareness programs within the organization, are some of the best practices to stay secure.

4. Hackers using stolen bank information to trick victims into downloading BitRAT malware

A remote access trojan (RAT) called BitRAT is being dropped using sensitive information stolen from a bank as a lure in phishing emails. BitRAT is a notorious RAT marketed on underground cybercriminal web markets and forums since Feb 2021. During an investigation, it was found that an adversary had hijacked a Columbian cooperative bank’s infrastructure, resulting in attacker gaining access to customer’s data.

This information was used to craft convincing decoy messages to lure victims into opening suspicious Excel attachments. The data is said to have been obtained by exploiting SQL injection faults. The Excel file, which contains the exfiltrated bank data, also embeds within it a macro that is used to download a second-stage DLL payload, which is configured to retrieve and execute BitRAT on the compromised host. It is advised to avoid opening email attachments or clicking embedded links from untrusted sources. Deploying EDR tools to dynamically detect and respond to any insertion of RATs into a network endpoint is also recommended to avoid being a victim to such attacks.

5. Important security fix released for ManageEngine bug

An SQL Injection vulnerability was discovered in Zoho’s Password Manager Pro secure vault, PAM360 privileged access management software, and Access Manager Plus privileged session management solution. The company has released a patch to fix this critical security flaw. Affected products include Password Manager Pro version 12200 and below, PAM360: version 5800 and below, and Access Manager Plus: version 4308 and below. As highlighted by the company, the flaw has been fixed by adding proper validation and escaping special characters.

The vulnerability (CVE-2022-47523) provides attackers with unauthenticated access to the backend database and allows them to execute custom queries to access database table entries. To patch the vulnerability, download the latest upgrade pack and apply the latest build to the existing product installation as per the upgrade pack instructions.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider