PennyWise crypto-stealing malware spreads through YouTube


A new strain of crypto-malware is being spread via YouTube, tricking users into downloading software designed to steal data from 30 crypto wallets and crypto-browser extensions.

Cyber ​​intelligence company Cyble said in a June 30 blog post that it was tracking malware called “Pennywise” — possibly named after the monster in Stephen King’s horror novel “It” — because it was first Recognized in May.


“Our investigation indicates that piracy is an emerging threat,” Cyble wrote in a blog post on June 30.

“In its current iteration, this piracy can target over 30 browsers and cryptocurrency applications such as cold crypto wallets, crypto-browser extensions, etc.”

The data stolen from the victim’s system comes in the form of Chromium and Mozilla browser information, including password extension data and login data. It can also take screenshots and steal sessions of chat applications like Discord and Telegram.

The malware also targets cold crypto-wallets such as Armory, Bytecoin, Jaxx, Exodus, Electrum, Atomic Wallet, Guarda and Coinomi, as well as those supporting Zcash and Ethereum by looking for wallet files in the directory and sending a copy of it. Also targets Wallet. files to attackers, according to Cyber.

The cybersecurity company noted that malware is being spread on YouTube mining education videos, which claim to be free bitcoin mining software.

Cybercriminals, or “threat actors,” upload videos instructing viewers to visit the link in the description and download free software, while also encouraging them to disable their antivirus software that can help malware run successfully. make capable.

Cyble said the attacker had 80 videos on his YouTube channel as of June 30, however, the identified channel has been removed.

A search by Cointelegraph found similar links to malware persist on other smaller YouTube channels, with videos promising free NFT-mining, cracks for paid software, free Spotify Premium, game cheats and mods.

Many of these accounts have only been created within the last 24 hours.

related: Bitcoin Stealing Malware: Bitter Reminder for Crypto Users to Be Vigilant

Interestingly, the malware is designed to stop itself if it detects that the victim is located in Russia, Ukraine, Belarus and Kazakhstan. Cyble also found that the malware converts the victim’s stolen timezone data into Russian Standard Time (RST) when data is sent back to attackers.

In February, malware named Mars Stealer was identified as targeting crypto wallets that operate as Chromium browser extensions such as MetaMask, Binance Chain Wallet or Coinbase Wallet.

Chainalysis warned in January that even “less-skilled cybercriminals” are now using malware to extort money from cryptocurrencies, with cryptojacking accounting for the total value received by malware-related addresses between 2017 and 2021. is 73%.