Cybercriminals are actively sending bogus copyright claims to YouTubers, aiming to coerce them into promoting malware and cryptocurrency miners on their videos.
These threat actors exploit the rising popularity of Windows Packet Divert (WPD) tools, which are increasingly used in Russia due to their ability to help users bypass internet censorship and government-imposed restrictions on websites and online services.
Since YouTube creators catering to this audience often publish tutorials on how to use various WPD-based tools for circumventing censorship, they have become prime targets for attackers posing as the copyright holders of these tools.
Kaspersky has observed that, in most cases, the threat actors falsely claim to be the original developers of the restriction bypass tool showcased in the videos. They file a copyright claim with YouTube and then contact the creator, offering a supposed resolution: include a download link they provide.
Meanwhile, they threaten that failure to comply will result in two additional “strikes” on YouTube, which could ultimately lead to a channel ban under the platform’s “three strikes” policy.
In other instances, the attackers bypass the copyright claim process altogether and directly approach the creators, impersonating the tool’s developers. They falsely claim that the original tool has a new version or download link, urging the creator to update their video accordingly.
Message threat actors send to YouTubers
Source: Kaspersky
Fearing the loss of their channels, creators often give in to the threat actors’ demands and agree to add links in their videos directing viewers to GitHub repositories allegedly hosting Windows Packet Divert (WPD) tools. However, these links actually lead to trojanized versions that contain a cryptominer downloader.
Kaspersky has identified one instance where attackers promoted these compromised WPD tools through a YouTube video that amassed over 400,000 views, resulting in the malicious link being downloaded 40,000 times before its removal.
Additionally, a Telegram channel with 340,000 subscribers has been used to promote the malware under the same deceptive guise.
According to Kaspersky’s telemetry, this malware campaign has already impacted more than 2,000 victims in Russia, although the true number of affected users could be much higher.
Telegram channel (left) and YouTube video (right) promoting the cryptominer
Source: Kaspersky
SilentCryptoMiner deployment
The malicious archive downloaded from the GitHub repositories contains a Python-based malware loader that is launched using PowerShell via a modified start script (‘general.bat’).
If the victim’s antivirus disrupts this process, the start script delivers a ‘file not found’ error message suggesting that the user disables their antivirus and re-download the file.
The executable fetches the second-stage loader only for Russian IP addresses and executes it on the device.
The second stage payload is another executable whose size was bloated to 690 MB to evade antivirus analysis, while it also features anti-sandbox and virtual machine checks.
The malware loader turns off Microsoft Defender protections by adding an exclusion and creates a Windows service named ‘DrvSvc’ for persistence between reboots.
Eventually, it downloads the final payload, SilentCryptoMiner, a modified version of XMRig capable of mining multiple cryptocurrencies, including ETH, ETC, XMR, and RTM.
The coin miner fetches remote configurations from Pastebin every 100 minutes so it can be updated dynamically.
For evasion, it is loaded into a system process like ‘dwm.exe’ using process hollowing and pauses mining activity when the user launches monitoring tools like Process Explorer and the Task Manager.
Although the campaign discovered by Kaspersky primarily targets Russian users, the same tactics may be adopted for broader-scoped operations that also deliver higher-risk malware like info-stealers or ransomware.
Users should avoid downloading software from URLs in YouTube videos or descriptions, especially from smaller to medium-sized channels that are more susceptible to scams and blackmail.
Source: BleepingComputer, Bill Toulas
