Hacker YouTube advertises outside the site and secretly spreads Trojan virus

Security firm Doctor Web is issuing a warning to all computer users that a new type of Trojan virus is spreading through YouTube.

The Trojan is designed to steal files and other sensitive information from infected computers that an attacker could use to hijack a victim's social networking site or other online service account.

The Trojan virus, which was detected by the Doctor Web as Trojan.PWS.Stealer.23012, was developed in the Python programming language and infected with computers running the Windows operating system.

Doctor Web says the Trojan's distribution began on March 23, 2018 and continues to this day. Links used to download malicious apps are posted by attackers in the comments section of YouTube videos, most of which appear to promote a game "hanging out."

In fact, this is a popular and widely used way to distribute malware. The content of YouTube videos is mainly used to show the specific effects of using "hanging" in these games, which is undoubtedly tempting for most gamers.

According to Doctor Web, the malicious link points to the Yandex.Disk server (a disk from Russia) from which the victim can download to one. RAR compresses the file.

There is no doubt that the trojan virus mentioned earlier is included in Trojan.PWS.Stealer.23012. To persuade victims to click on links, attackers also create fake YouTube accounts to post "positive reviews."

Doctor Web says that after booting on an infected computer, Trojan.PWS.Stealer.23012 collects the following information:

  • Cookies stored by browsers such as Vivaldi, Chrome, Yandex Browser, Opera, Kometa, Orbitum, Dragon, Amigo and Torch;

  • the username and password saved in the above browser;

  • Screenshot.

In addition, it dumps files from the Windows desktop that contain the following extensions, including .txt, .pdf, .jpg, .png, .xls, .doc, .docx, .sqlite, .db, .sqlite3, .bak, .sql and .xml.

After the information collection is completed, Trojan.PWS.Stealer.23012 saves all collected information to the C:/PG148892HQ8 folder, then packages it and compresses it into a file called "spam.zip", which will eventually be sent to a server controlled by the attacker.