Social engineering is the main weapon of attack, being much more important than malware itself.
Recently a series of major attacks have hit major Brazilian YouTube channels, such as Angry, a channel over 11 years old and one of the largest in the game niche, and Peter Jordan’s Ei Nerd channel, with over 10.8 million subscribers. The problem is attracting the attention of several youtubers of different sizes, precisely because of the risk of losing the channel to such a coup.
The „ethical hacker“ Gabriel Pato has published a malware analysis that may have been used to attack the channels. Gabriel explained a little bit about how the virus works (until simple), where it comes from, what types of information it steals, and what strategies were used to infect YouTubers.
It is worth mentioning that malware attacks are not something isolated or even new, since the attack has happened countless times and has even generated legal problems for YouTube.
Just as it happened with YouTube channels abroad or even in past examples here in Brazil, the main reason for the attacks is to use the channels as a bridge between the subscribers and a classic coup that steals cryptomorphs.
Hacker attack demonstrates knowledge and sophistication
One of the most interesting points of the attacks is that it is all done through a phishing tactic with a certain level of sophistication. The first wave of blows, which ended up taking some medium-sized channels, focused on the niche of games, precisely to give more credibility to the tactic and all the talk that led to the final attack.
Unlike most phishing attacks that happen on the Internet, where millions of messages are sent to users in the hope that someone makes a mistake, YouTube hackers have a segmented and direct strategy.
Until recently they’ve been looking for game channels, passing themselves off as independent game developer and offering test keys and paid advertising opportunities. Bruno Correa, YouTuber of 7.15 million subscribers, told on his channel how someone pretending to be the Slormite developer tried to apply the coup to him.
In the video he also says that in 1 week, three attempts of scams were applied. All of them passing themselves as independent developers. In one of the e-mails, passing by the developer of Spelunky 2, the „company“ offered the amount of $ 9,500 dollars for the production of the video, and the key to the game.
The problem became so common that even independent developers began to alert players and content creators about the risk of scams and the use of fake emails used by scammers.
Social engineering is the main weapon of attack, being much more important than malware itself. And one of the main strategies for the group’s success is the use of emails with phishing domains and even a language compatible with YouTube’s standard activities.
Fake emails and high level language are part of the YouTube hack scam
The scam starts with email or whatsapp contact and unlike simpler scams, the language is very similar to the kind of conversation that happens between content creators and developers.
There are mentions about the embargo (period in which no information about the game can be disclosed) and several other terms that, even for those who are already used to this niche, give credibility to the whole conversation.
In a video explaining what happened to his channel and how it was hacked, Angry revealed that it was exactly this PDF that induced him to error and caused serious damage to his channel (which has now been recovered).
What is interesting are the e-mails used by the hackers. Previously they used the domain @gmail.com, but to further increase the possibility of cheating the content creators, recently they started to buy their own domains.
In the case of the virus that stole the channel from Angry, the email was sent through the address with domain @cyberpunk2077.icu. Other creators received the contact from @cdprojektred.media.
As you can see on the official website of CD Projekt Red, the official email of the company is @cdprojekt.com
As you can see, the similarity is enough to fool people who are not very attentive to what is happening.
How does the malware that brought down the Angry Channel work?
According to the investigation carried out by Gabriel Pato, the malware that I was used in the recent attacks is known as RedLine, a well-known Russian application in cyberspace and widely sold in hacking forums.
RedLine acts as a „stealer“, almost an evolution of the keylogger. The term „stealer“, which is nothing more than „thief“ in English, specializes in theft of different information, it can be adapted for different campaigns.
It can be found in Russian forums for about $ 200 per month (subscription plan). Among its features, it can steal passwords and data saved in browsers, credit card numbers and passwords, information about the system and the user and recently it has been updated to also steal cryptomeda wallets.
Returning to Gabriel Pato’s investigation, he discovered which server the virus communicates with once it is installed on the victim’s machine.
By analyzing the malware, Pato determined that it does not fully utilize its functions on infected computers. RedLine is programmed only to search and steal data from the browser (cookies, saved passwords, location, etc.), besides making a screen capture of the user.
To make matters worse, RedLine has a series of barriers and features to avoid simple antivirus analysis. Windows Defender and even other analyzers are not able to determine that there is something wrong inside the downloaded file.
All this data is compiled in a single file and sent directly to the control server indicated just above. But why are hackers interested in this data?
Well, the answer is simple, the most important information for this virus is the browser cache data and cookies.
YouTube hacker viruses can pass through the authentication of two factors
During the attacks, many questioned whether YouTubers were using two-factor authentication (2FA) to protect themselves. The problem is that because RedLine acts, it can go through two-factor authentication, because it not only steals the password, but also the cookie and cache data that can allow the hacker to simulate being the same person.
Since 2FA is used for new logins and RedLine steals the data where logins have already been made and authenticated, there is no request for new authentication. With a few minutes the hacker can change all the passwords he wants, without having any kind of barrier.
Virus can start a campaign against make-up channels
Also through his investigation, Gabriel Pato discovered that one of the domains (cyberpunk2077.icu) was registered in another e-mail: firstname.lastname@example.org, probably a fake e-mail or stolen from someone to register the domains for the con. But what he noticed is that recently new domains were registered, all passing through makeup brands:
With this, there is a high probability that the next wave of blows will target the influencers and content creators who talk about make-up and may have contact with these companies.
And in the end, why are they hacking YouTube channels?
A new game was released, Cyberpunk 2077, so channel owners about games became hackers‘ targets. The tactic is social engineering, to offer some partnership and ask the channel owners to install software, in this case, the virus.
The purpose of the coup is to apply a second coup, this time with cryptomoedas through the classic „send x Bitcoins and we will send double“, something that never happens, of course.
The stolen channels have their name changed and show infinite lives with these Bitcoin promises for free for those who send a quantity of coins to a certain wallet.
It is not known if the person who is stealing the accounts is the same person who applies the Bitcoin scam or if they sell the access of these channels on the black market to those who are interested in applying this kind of strategy.