Global Crypto Market

  • Market Cap: $1,129,400,285,770.36
  • 24h Vol: $114,158,813,766.47
  • BTC Dominance: 39.52%

PennyWise malware on YouTube targets cryptocurrency wallets and browsers – TechRepublic

Register for your free TechRepublic membership or if you are already a member, sign in using your preferred method below.
We recently updated our Terms and Conditions for TechRepublic Premium. By clicking continue, you agree to these updated terms.
Invalid email/username and password combination supplied.
An email has been sent to you with instructions on how to reset your password.
By registering, you agree to the Terms of Use and acknowledge the data practices outlined in the Privacy Policy.
You will also receive a complimentary subscription to TechRepublic’s News and Special Offers newsletter and the Top Story of the Day newsletter. You may unsubscribe from these newsletters at any time.
All fields are required. Username must be unique. Password must be a minimum of 6 characters and have any 3 of the 4 items: a number (0 through 9), a special character (such as !, $, #, %), an uppercase character (A through Z) or a lowercase (a through z) character (no spaces).
PennyWise malware on YouTube targets cryptocurrency wallets and browsers
Your email has been sent
Learn more about how this stealer malware operates and how to protect yourself from it now.
A new stealer dubbed PennyWise by its developers has appeared recently, exposed by Cyble Research Labs. The researchers observed multiple samples of the malware in the wild, making it an active threat. The threat focuses on stealing sensitive browser data and cryptocurrency wallets, and it comes as the Pentagon has raised concerns about the blockchain.
The malware pretends to be a free Bitcoin mining application, which advertises and can be downloaded via a Youtube video (Figure A).
Figure A
While this screen capture shows a very limited number of visitors, Cyble has observed over 80 videos on YouTube for mass infection, all stored on the threat actor’s YouTube channel.
As the users watch the video, they are enticed to download a password-protected archive file, which contains the advertised Bitcoin mining software, but which is in fact the PennyWise malware.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
The use of a password-protected archive is a known social engineering method for enforcing trust, as users tend to be less suspicious when content is password-protected.
In an additional attempt to appear more legitimate, the threat actor adds a link to VirusTotal which shows antivirus results for a clean file that is not the malware. The threat actor also mentions the user might need to turn off his antivirus if he is not allowed to download the file but that it is completely safe (Figure B).
Figure B
The archive file contains an installer for PennyWise, which executes it before the malware starts communicating with its command and control server.
The malware is obfuscated with an unknown crypter tool and uses multithreading to be more efficient in stealing data.
Once running, the malware obtains the path for several different browsers it targets:
The malware then grabs the username, the machine name, the system language and timezone from the victims operating system. The timezone is converted to Russian Standard Time.
Another geographical characteristic comes when the malware tries to identify the victim’s country. It completely stops all operations if the country is one of the following:
This could be an indication that the threat actor might want to avoid law enforcement agencies in these particular countries.
In addition, the malware grabs the graphic driver and processor name and saves everything in a hidden folder in the AppDataLocal directory.
Once this is done, the malware attempts to determine in which kind of environment it is running by using anti-analysis and anti-detection tricks. If it runs in a virtual machine, it stops.
More checks are done to determine what antivirus or sandbox might be running, and the malware checks a predefined list of process names related to analysis tools such as wireshark, fiddler and tcpview.
Once the malware has done all the checks, it starts multithreading for efficiency. Over 10 threads are created, each one in charge of a different operation.
The malware only steals RTF, DOC, DOCX, TXT and JSON files smaller than 20kb. The files are saved in a folder “grabber” in the hidden folder infrastructure created by the malware.
The malware also lists all installed software on the system.
All known browser data is stolen if the malware detects a browser it knows, including login credentials, cookies, encryption keys and master passwords.
Discord tokens and Telegram sessions are also stolen, and a screenshot of the user’s screen is taken.
The registry is then queried in a hunt for cryptocurrency wallets such as Litecoin, Dash and Bitcoin before targeting cold storage wallets such as Zcash, Armory, Bytecoin, Jaxx, Exodus, Ethereum, Electrum, Atomic Wallet, Guarda and Coinomi. Wallet files are stolen from a list of predefined folders. Cryptocurrency extensions in Chrome-based browsers are also targeted.
Once all the collection is done, it is compressed and sent over to an attacker-controlled server before being deleted from the computer.
Software should never be downloaded from unverified or untrustworthy sources. Software should always be downloaded from legitimate websites after a careful check from the user.
Users should also never disable their antivirus for the purpose of installing a new application. A malicious detection from the antivirus should be a serious warning to the user. The antivirus or security product running on the computer should always be kept patched along with all other software and the operating system itself.
The storage of credentials should be avoided in the browser. Instead, a password manager should be used, with one different password for every website or online service. Multi-factor authentication should be deployed when possible so that when a cybercriminal is in possession of valid credentials, they could not use it to use any online service.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
PennyWise malware on YouTube targets cryptocurrency wallets and browsers
Your email has been sent
Your message has been sent
TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.
A new report reveals that blockchain is neither decentralized nor updated.
With so many agile project management tools available, it can be overwhelming to find the best fit for you. We’ve compiled a list of ten tools you can use to take advantage of agile within your organization.
The best code will run for decades, says Amazon CTO Werner Vogels. How can you make sure your code will last?
Learn about the new features available with iOS 16, and how to download and install the latest version of Apple’s mobile operating system.
The online learning platform’s new course teaches the fundamentals of ML with less emphasis on math.
IIoT software assists manufacturers and other industrial operations with configuring, managing and monitoring connected devices. A good IoT solution requires capabilities ranging from designing and delivering connected products to collecting and analyzing system data once in the field. Each IIoT use case has its own diverse set of requirements, but there are key capabilities and …
Recruiting an Operations Research Analyst with the right combination of technical expertise and experience will require a comprehensive screening process. This Hiring Kit provides an adjustable framework your business can use to find, recruit and ultimately hire the right person for the job.This hiring kit from TechRepublic Premium includes a job description, sample interview questions …
The digital transformation required by implementing the industrial Internet of Things (IIoT) is a radical change from business as usual. This quick glossary of 30 terms and concepts relating to IIoT will help you get a handle on what IIoT is and what it can do for your business.. From the glossary’s introduction: While the …
Procuring software packages for an organization is a complicated process that involves more than just technological knowledge. There are financial and support aspects to consider, proof of concepts to evaluate and vendor negotiations to handle. Navigating through the details of an RFP alone can be challenging, so use TechRepublic Premium’s Software Procurement Policy to establish …


Leave a Comment

Your email address will not be published.