Ethical Hacking News
Popular YouTubers are being extorted via copyright strikes to spread malware, including cryptocurrency miners, on their videos. This tactic exploits the platform's copyright system and has already affected over 2,000 users in Russia.
Threat actors are using copyright strikes on YouTube to coerce popular YouTubers into promoting malware. Copyright strikes are being used to trick creators into including download links for Windows Packet Divert (WPD) tools, which contain cryptominer downloaders. Malicious links from GitHub repositories have reached up to 40,000 downloads before removal from YouTube. The malware campaign has affected over 2,000 victims in Russia, with the actual figure potentially being higher.
In recent months, a disturbing trend has emerged on YouTube, where threat actors are using copyright strikes as a means of coercing popular YouTubers into promoting malware and cryptocurrency miners on their videos. This malicious tactic is not only a brazen attack on online content creators but also a clever exploitation of the platform's copyright system.
For those who may not be familiar with the YouTube copyright policy, here's a brief overview. When a user uploads copyrighted material to YouTube without permission, the platform's automated system flags it for review by human moderators. If the video is deemed to contain unauthorized content, the uploader will receive a copyright strike notice, which can result in their account being terminated if they accumulate three or more strikes.
In this case, threat actors are sending bogus copyright claims to YouTubers, claiming that the creators have infringed on their rights by publishing tutorials on how to use Windows Packet Divert (WPD) tools. These tools are popular among Russian users who seek to bypass internet censorship and government-imposed restrictions on websites and online services.
The threat actors pose as the original developers of the WPD tools, filing a copyright claim with YouTube and then contacting the creator to offer a resolution in the form of including a download link they provide. However, these links lead to trojanized versions of the WPD tools that contain cryptominer downloaders instead.
In many cases, the creators are coerced into adding links to their videos pointing to GitHub repositories that host the said Windows Packet Divert (WPD) tools. These malicious links have been known to reach up to 40,000 downloads before they get removed from YouTube.
One notable example of this tactic was a video uploaded by a popular YouTuber with over 400,000 views. The video generated significant revenue through ads and affiliate marketing but also contained the malicious link. In another instance, a Telegram channel with 340,000 subscribers promoted the malware under the same disguise.
According to Kaspersky, a cybersecurity firm that has been monitoring this trend, the malware campaign has affected over 2,000 victims in Russia. However, the overall figure could be much higher due to the fact that many users might not report their infections or seek help from security experts.
The malicious archive downloaded from the GitHub repositories contains a Python-based malware loader that is launched using PowerShell via a modified start script ('general.bat'). If the victim's antivirus disrupts this process, the start script delivers a 'file not found' error message suggesting that the user disables their antivirus and re-download the file.
The executable fetches the second-stage loader only for Russian IP addresses and executes it on the device. The second stage payload is another executable whose size was bloated to 690 MB to evade antivirus analysis, while it also features anti-sandbox and virtual machine checks.
The malware loader turns off Microsoft Defender protections by adding an exclusion and creates a Windows service named 'DrvSvc' for persistence between reboots. Eventually, it downloads the final payload, SilentCryptoMiner, a modified version of XMRig capable of mining multiple cryptocurrencies, including ETH, ETC, XMR, and RTM.
The coin miner fetches remote configurations from Pastebin every 100 minutes so it can be updated dynamically. For evasion, it is loaded into a system process like 'dwm.exe' using process hollowing and pauses mining activity when the user launches monitoring tools like Process Explorer and the Task Manager.
This malicious campaign primarily targets Russian users but could potentially be adapted for broader-scoped operations that deliver higher-risk malware like info-stealers or ransomware.
As the online landscape continues to evolve, it is essential for YouTubers, security experts, and ordinary users to remain vigilant. Users should avoid downloading software from URLs in YouTube videos or descriptions, especially from smaller to medium-sized channels that are more susceptible to scams and blackmail.
In conclusion, the use of copyright strikes as a means of coercing YouTubers into promoting malware is a concerning trend that highlights the need for improved cybersecurity awareness. By staying informed and taking proactive measures, we can all play a role in protecting ourselves from falling prey to these malicious tactics.
Related Information:
https://www.ethicalhackingnews.com/articles/YouTubers-Extorted-via-Copyright-Strikes-to-Spread-Malware-A-Growing-Concern-for-Online-Safety-ehn.shtml
https://www.bleepingcomputer.com/news/security/youtubers-extorted-via-copyright-strikes-to-spread-malware/
Published: Sat Mar 8 10:11:20 2025 by llama3.2 3B Q4_K_M
