Instead of offering access to pirated software, AI-created personas guide viewers to video descriptions containing links riddled with info-stealing malware, a Monday report from AI threat intelligence firm CloudSEK said. CloudSEK threat intelligence researcher and co-author of the report, Pavan Karthick M, said that such threats might have “devastating” repercussions. “The threat of infostealers is rapidly evolving and becoming more sophisticated, leaving users vulnerable to devastating consequences,” Karthick said. “In a concerning trend, these threat actors are now utilizing AI-generated videos to amplify their reach, and YouTube has become a convenient platform for their distribution.” According to CloudSEK’s report, researchers have noted a 200 to 300 percent “month-on-month” spike in such schemes since November 2022. The links lead victims to notorious info-stealers like Raccoon, RedLine, Vidar, and others. In one example, in March 2022, hackers duped victims into downloading RedLine stealer via YouTube videos related to the popular Windows game Valorant. The videos are “tutorials on how to download cracked versions of the software such as Photoshop, Premiere Pro, Autodesk 3ds Max, AutoCAD, and other products that are licensed products available only to paid users,” CloudSEK said. High-end software like this can cost thousands of dollars a year for a paid subscription.
Malware Links In YouTube Video Descriptions
To spread the infostealers, cybercriminals first recruit co-conspirators, known as “traffers,” in the underground community. Then, they create content like audio walkthroughs, screen recordings, and, videos with AI-generated personas almost indistinguishable from real people. Videos are reportedly created by AI video makers like D-ID and Synthesia and are distributed not only on YouTube, but on social media platforms like Instagram and Twitter. Confirming the threat of AI in the wrong hands, Principal Security Engineer at HYAS, Jeff Sims, told VPNOverview that generative AI could be used to create a new breed of cyber threat. Once a user clicks on a YouTube link and mistakenly infects themselves with an info-stealer, this malware can scan a device and steal information like bank account numbers, login credentials, crypto wallet data, browser history, location data, and in the case of Redline and Vidar — IP addresses. Stolen information is then relayed to “underground forums, Telegram channels, and to other groups that spread stealer malware,” the CloudSEK report said. “The developers are responsible for developing and updating the malware code to ensure that antivirus and other endpoint detection systems do not detect the stealer when it is downloaded to a computer,” the report said. Furthermore, CloudSEK said cybercrooks are tuning their SEO (search engine optimization) to ensure victims easily find malware-laden videos in an online search.
SEO Optimization, Frequent Uploads, Obfuscation
In this case, the world’s largest streaming video content platform YouTube deletes accounts once they have been flagged or banned by users. “Hence threat actors are always looking for new ways to circumvent the platform’s algorithm and review process,” the report said. One way cybercriminals try to avoid this is by hacking into existing YouTube accounts to appear legitimate, as well as targeting both “educated [and vice versa] and active users,” on both popular channels and small channels. Following this, they fill the compromised account with five to six videos. CloudSEK said they observed five to ten “crack software download videos,” every hour on YouTube, which in turn compensates for videos that are taken down or deleted. It also ensures victims can find these videos at any given time, CloudSEK added. Furthermore, the SEO optimization techniques include “an exhaustive list of tags that will deceive the YouTube algorithm to recommend the video and ensure it appears as one of the top results,” the report said. Tag keywords are relevant to the software, but can also be random words in various languages. Cybercrooks also silently pass by YouTube defenses by shortening links containing malware to those such as ‘bit.ly’, or ‘cutt.ly,’ the report said. Other popular websites used in the infection chain are Google Drive links, www.mediafire.com, and even Discord and Github links. CloudSEK also noted that cybercriminals always fill their videos’ comment sections to create the illusion of legitimacy, boasting about how the cracked software worked for them.
How to Stop Infostealer Malware
The consequences of falling victim to infostealers are far-reaching. In December 2022, leading VPN provider NordVPN found that data stolen by info-stealing malware variants such as Vidar and Redline could easily end up on the dark web. Researchers at the VPN service discovered the data of 4.9 million people on bot marketplaces. Though video platform scams and similar social media schemes have been around for some time, AI-generated scams are relatively new. To avoid falling into a trap, always lock down your accounts with two-factor authentication, at the minimum, and never click on unknown links and emails. You should be able to spot a scam YouTube video by checking the comments that will appear fake, repetitive, and automated. “As a result, it is absolutely critical that users exercise extreme caution when downloading software and avoid any suspicious links or videos at all costs,” Karthick said, adding that these infections can easily lead to identity theft, as well as harming victims financially and socially. Finally, we recommend you check out our top antivirus solutions with built-in internet encryption to guard you against malware infections.
