YouTube Videos Promise Private Key Generator for Bitcoin Addresses, Lead Users to Info-stealing Trojan Instead

YouTube videos were being used in a scam to deliver an information-stealing Trojan called Predator the Thief (detected by Trend Micro as TrojanSpy.MSIL.PREDATOR.AA). Discovered by security researcher Frost, the threat actors use the videos to promote a supposed tool that can generate a bitcoin address’ private key. However, the videos are simply used to bait users into downloading Predator the Thief, a trojan that steals information and passwords from infected systems.

How the scam operates

The threat actors behind this scam upload YouTube videos that promise users a private key generator for bitcoin addresses, which can allow them to steal bitcoins stored in the said addresses. Some videos that were uploaded by a user that goes by the name Crypto World have had several hundred views.

The descriptions for the said videos show Yandex, Google Drive, and MediaFire links where the trojan-ridden tool can be downloaded. The file Crypto World.zip is stored in the said links, and extracts a setup.exe file. The latter includes a password-protected ZIP file containing the Predator the Thief executable.

Per Bleeping Computer’s analysis, the setup.exe program will unzip a file to the .\language\templates\temp folder as license.exe. Subsequently, the license.exe file will be executed and the Predator the Thief will be installed and executed on the victim computer. Predator the Thief then communicates with its C&C server to download other components and malware variants. It will also send collected information back to threat actors.

Apart from passwords, Predator the Thief is capable of stealing files from the victim computer (e.g., a copy of its clipboard) and recording videos using the computer’s webcam.

Security recommendations

To stay safe from info-stealing threats such as Predator the Thief, users should only download software and applications from official websites and trusted app stores. If already infected with the threat, users are advised to change all passwords for their financial accounts, websites, chat services, and gaming services.

Users can also take advantage of Trend Micro ™ Security, a product that blocks over 250 million threats daily. It uses machine learning and other security layers to protect against web threats, malware, online banking and shopping threats, and other ever-evolving threats.
HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.