PennyWise crypto-theft malware spreads through YouTube
A new strain of cryptomalware is spreading through YouTube, tricking users into downloading software designed to steal data from 30 crypto wallets and crypto browser extensions.
Cyber intelligence company Cyble in a blog post on June 30 said it had tracked malicious software known as “PennyWise” – probably named after the monster in Stephen King’s horror novel “It” – since it was first identified in May.
“Our investigation indicates that the thief is a nascent threat,” Cyble wrote in a blog post on June 30.
“In its current iteration, this thief can target over 30 browsers and cryptocurrency applications such as cold crypto wallets, crypto browser extensions, etc.”
Data stolen from the victim’s system comes in the form of Chromium and Mozilla browser information, including data for expanding cryptocurrency and login data. It can also take screenshots and steal sessions from chat applications such as Discord and Telegram.
The malware also targets cold crypto wallets such as Armory, Bytecoin, Jaxx, Exodus, Electrum, Atomic Wallet, Guarda and Coinomi, as well as wallets that support Zcash and Ethereum by looking for wallet files in the directory and sending a copy of files to attackers, according to Cyble.
The network security company noted that malicious software is spreading on YouTube’s mining education videos claiming to be free Bitcoin mining software.
Cybercriminals upload “videos” instructing viewers to visit the link in the description and download the free software, while encouraging them to disable the antivirus software that allows malicious software to run successfully.
Cyble said the attacker had as many as 80 videos on their YouTube channel as of June 30, but the identified channel has since been removed.
A search by Cointelegraph found similar links to malware on other smaller YouTube channels, with videos promising free NFT mining, paid software cracks, free Spotify premium, game cheats and mods.
Many of these accounts have only been created in the last 24 hours.
Related: Bitcoin that steals malicious software: Bitter reminder for crypto users to be vigilant
Interestingly, malicious software is designed to stop itself if it finds that the victim is based in Russia, Ukraine, Belarus and Kazakhstan. Cyble also found that malicious software converts the victim’s stolen time zone data into Russian Standard Time (RST) when the data is sent back to the attackers.
In February, malware called Mars Stealer was identified as targeting cryptocurrencies that act as Chromium browser extensions such as MetaMask, Binance Chain Wallet or Coinbase Wallet.
Chainalysis warned in January that even “low-skilled cybercriminals” now use malware to take funds from crypto-hackers, with cryptojacking accounting for 73% of the total value received by malware-related addresses between 2017 and 2021.