A new type of cryptocurrency malware is sweeping across YouTube, enticing users to install malware that targets 30 distinct crypto wallets and browser extensions. On June 30, the cyber intelligence company Cyble published a blog post that said it had been tracking the malware known as “PennyWise.”
Lurking within the System
Cyble said the malware activates through YouTube videos that appear to offer free Bitcoin mining software, as well as other channels. Information from the victim’s PC includes Chrome and Mozilla browser data, cryptocurrency extension data, and login details. It can also take screen captures and commandeer chat sessions with software like Telegram and Discord.
Cyble claims that the malware also targets cold crypto-wallets and storage that support Zcash and Ethereum, both of which are sought for wallet files in the directory and copied to attackers.
The actors upload the videos asking the viewers to click the link in the description and download the program for free. Curiously enough, they also urge the viewers to turn off the antivirus software, claiming that if it is detected as a virus, it is a “false alarm.” As of June 30, the attackers uploaded 80 posts on their YouTube channel. Unfortunately, the identified channel has since been deleted.
Attacks Happening Everywhere
PennyWise is not the only crypto-related malware out there. Previously, researchers from Trend Micro found a new type of malware that had been targeting Monero wallets. The malware’s unusual feature is that it is designed to self-destruct if it determines the target to be in the northeastern part of Russia, Kazakhstan, or any other country between these two countries. Cyble explained when the malware transmits the victim’s stolen timezone data to the breachers; it changes it to RST (Russian Standard Time).