A widespread malware campaign is using YouTube videos to distribute password-stealing trojans that run quietly in the background while stealing your passwords, screenshots of active windows, cookies, credit cards stored in browsers among others.

When these trojans are downloaded and installed on your computer it will communicate with a Command & Control server where it will await commands from the attacker.

Using YouTube videos to distribute malware through embedded links in the video description is nothing new. However, this time seems to be different as there has been a significant increase in malware campaigns on YouTube pushing various password-stealing Trojans.

Researchers have uncovered that thousands of videos and channels had been made as part of this malware attack, with over 100 new videos and 81 different channels created in an interval of 20 minutes. 

A security researcher from Cluster25 Frost made a statement that the threat actors use the Google accounts they steal to launch YouTube channels to distribute the malware creating a never-ending cycle.

"The threat actors have thousands of new channels available because they infect new clients every day. As part of these attacks, they steal the victim's Google credentials, which are then used to create new YouTube Videos to distribute the malware," Frost stated.

The impostors start with the threat actors creating numerous YouTube channels filled with videos about popular subjects such as game hacks, VPN, how-to guides, cryptocurrency, and pretty much any other popular category.

Frost also commented that there is a high possibility that two clusters of malicious activity are at work simultaneously. One pushing the RedLine malware and the other one pushing the Racoon Stealer. A way to differentiate is, if a video contains a bit.ly link, it will lead to another file-sharing site hosting the Red-line password-stealing malware. On the other hand, if it includes an unshortened domain it will redirect you to a page to push Racoon Stealer malware.

Ultimately, once the user becomes infected, the malware will proceed to scan all installed browsers and wallet for credit card numbers and passwords saved. 

Google stated that they are aware of the malware activity and they are taking action to disrupt the activity. "We are aware of this campaign and are currently taking action to block activity by this threat actor and flagging all links to Safe Browsing. As always, we are continuously improving our detection methods and investing in new tools and features that automatically identify and stop threats like this one. It is also important that users remain aware of these types of threats and take appropriate action to further protect themselves."  - Google.

Lastly, they mentioned that most likely these accounts were sold on the dark web markets or used to perform cryptocurrency scams. These campaigns are the perfect example of why you should never download anything from the internet from an untrusted source, even something as simple as trying to get free software or a freebie from a YouTube video can hurt your computer and put your most important assets in jeopardy. 

If you feel like you have accidentally already fallen victim to this attack, we strongly suggest that you scan your computer with an antivirus program. After you have removed the malware from your computer proceed to change the passwords saved in your browser.