Doctor Web: new Trojan distributed via YouTube
March 23, 2018
Malicious program dubbed Trojan.PWS.Stealer.23012 is written in Python, and it infects computers running Microsoft Windows OS. Trojan distribution started on March 23, 2018 and continues to this day. Cybercriminals publish links to the malicious program in the comments section of YouTube videos, a popular web resource. A lot of these videos focus on cheating methods in games (so called “cheats”) using special applications. Cybercriminals try to pass the Trojan off as such programs and useful utilities. Links lead to the Yandex.Disk servers. To persuade users to click the link, videos contain comments clearly written by using fake accounts. When clicking the link, victims download a self-unpacking RAR archive containing the Trojan on their computers.
An example of the link to a malicious file published in the comments section of the video.
Once launched on an infected computer, it collects the following information:
- cookies stored by the Vivaldi, Chrome, YandexBrowser, Opera, Kometa, Orbitum, Dragon, Amigo, and Torch browsers;
- saved logins/passwords from the same browsers;
It also copies files with “.txt”, “.pdf”, “.jpg”, “.png”, “.xls”, “.doc”, “.docx”, “.sqlite”, “.db”, “.sqlite3”, “.bak”, “.sql”, “.xml” extensions from Windows Desktop.
Trojan.PWS.Stealer.23012 saves all gathered information in the C:/PG148892HQ8 folder. It then packs all data into the spam.zip archive, which is sent to the cybercriminal’s server along with the data on an infected device location.
Doctor Web virus analytics found several modifications to the Trojan. Some of them were detected as Trojan.PWS.Stealer.23198. Dr.Web anti-virus products successfully detect all known modifications to this malicious program, so they do not pose any threat to our users.#cookies #malware #screenshot #Trojan
Tell us what you think
You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.