# Massive campaign uses YouTube to push password- stealing malware **[bleepingcomputer.com/news/security/massive-campaign-uses-youtube-to-push-password-stealing-malware/](https://www.bleepingcomputer.com/news/security/massive-campaign-uses-youtube-to-push-password-stealing-malware/)** Lawrence Abrams By [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) October 21, 2021 05:10 PM 0 Widespread malware campaigns are creating YouTube videos to distribute passwordstealing trojans to unsuspecting viewers. Password stealing trojans are malware that quietly runs on a computer while stealing passwords, screenshots of active windows, cookies, credit cards stored in browsers, FTP credentials, and arbitrary files decided by the threat actors. When installed, the malware will communicate with a Command & Control server, where it waits for commands to execute by the attacker, which could entail the running of additional malware. ## Malicious YouTube videos gone wild ----- [Threat actors have long used YouTube videos as a way to distribute malware through](https://www.bleepingcomputer.com/news/security/youtube-cryptocurrency-videos-pushing-info-stealing-trojan/) embedded links in video descriptions. However, this week has [Cluster25 security researcher Frost told BleepingComputer that](https://cluster25.io/) there has been a significant uptick in malware campaigns on YouTube pushing various password-stealing Trojans. Frost told BleepingComputer that it is likely two clusters of malicious activity being conducted simultaneously - one pushing the RedLine malware and the other pushing Racoon Stealer. The researcher said that thousands of videos and channels had been made as part of this massive malware campaign, with 100 new videos and 81 channels created in just twenty minutes. Frost explained that the threat actors use the Google accounts they steal to launch new YouTube channels to spread malware, creating a never-ending and ever-growing cycle. "The threat actors have thousands of new channels available because they infect new clients every day. As part of these attacks, they steal victim's Google credentials, which are then used to create new YouTube Videos to distribute the malware," Frost told BleepingComputer. The attacks start with the threat actors creating numerous YouTube channels filled with videos about software cracks, licenses, how-to guides, cryptocurrency, mining, game cheats, VPN software, and pretty much any other popular category. ----- **Example of a malicious YouTube channel** These videos contain content that explains how to perform a task using a specific program or utility. Additionally, the YouTube video's description includes an alleged link to the associated tool used to distribute the malware. ----- **Malicious YouTube video pushing RedLine stealer** If a video contains a bit.ly link, it will lead to another file-sharing site hosting the RedLine password-stealing malware infection. However, if it includes an unshortened domain, it will redirect to a page on the taplink[.]cc domain to push Racoon Stealer, as shown below. ----- **Landing page for the Racoon Stealer** Once a user becomes infected, the malware will proceed to scan all installed browsers and the computer for cryptocurrency wallets, credit cards, passwords, and other data and upload it back to the attacker. Google told BleepingComputer that they are aware of the campaign and are taking action to disrupt the activity. "We are aware of this campaign and are currently taking action to block activity by this threat actor and flagging all links to Safe Browsing. As always, we are continuously improving our detection methods and investing in new tools and features that automatically identify and stop threats like this one. It is also important that users remain aware of these types of threats and take appropriate action to further protect themselves." - Google. Google also disclosed this week a phishing campaign that distributed password-stealing trojans used to steal the accounts of YouTube Creators. These accounts were then sold on dark web markets or used to perform cryptocurrency scams. ## Downloading software can be dangerous ----- These campaigns illustrate how important it is not to download programs from the Internet haphazardly, as sites like YouTube can not vet every link added by video publishers. Therefore, a user should research a site before downloading and installing anything from it to determine if they have a good reputation and can be trusted. Even then, it is always suggested that you first upload the program to a site like VirusTotal to confirm if it's safe to run. If you have accidentally fallen for this attack and installed a program from a similar link, it is strongly suggested that you scan your computer with an antivirus program. After you have removed any malware detected in a virus scan, you should immediately change any passwords saved in your browsers. _Update 10/21/21 7:28 PM EST: Added a statement from Google._ ### Related Articles: [New ZingoStealer infostealer drops more malware, cryptominers](https://www.bleepingcomputer.com/news/security/new-zingostealer-infostealer-drops-more-malware-cryptominers/) [Fake Binance NFT Mystery Box bots steal victim's crypto wallets](https://www.bleepingcomputer.com/news/security/fake-binance-nft-mystery-box-bots-steal-victims-crypto-wallets/) [Ukraine warns of “chemical attack” phishing pushing stealer malware](https://www.bleepingcomputer.com/news/security/ukraine-warns-of-chemical-attack-phishing-pushing-stealer-malware/) [Pixiv, DeviantArt artists hit by NFT job offers pushing malware](https://www.bleepingcomputer.com/news/security/pixiv-deviantart-artists-hit-by-nft-job-offers-pushing-malware/) [RIG Exploit Kit drops RedLine malware via Internet Explorer bug](https://www.bleepingcomputer.com/news/security/rig-exploit-kit-drops-redline-malware-via-internet-explorer-bug/) [Malware](https://www.bleepingcomputer.com/tag/malware/) [Password Stealing Trojan](https://www.bleepingcomputer.com/tag/password-stealing-trojan/) [Racoon Stealer](https://www.bleepingcomputer.com/tag/racoon-stealer/) [RedLine](https://www.bleepingcomputer.com/tag/redline/) [Video](https://www.bleepingcomputer.com/tag/video/) [YouTube](https://www.bleepingcomputer.com/tag/youtube/) [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies. [Previous Article](https://www.bleepingcomputer.com/news/security/evil-corp-demands-40-million-in-new-macaw-ransomware-attacks/) [Next Article](https://www.bleepingcomputer.com/offer/deals/this-bundle-helps-you-master-data-analysis-in-only-9-hours/) Post a Comment [Community Rules](https://www.bleepingcomputer.com/posting-guidelines/) You need to login in order to post a comment [Not a member yet? Register Now](https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=register) ----- ### You may also like: -----