PennyWise crypto-stealing malware spreads through YouTube

Published at: July 6, 2022

A new strain of crypto-malware is being spread via YouTube, tricking users to download software that’s designed to steal data from 30 crypto wallets and crypto-browser extensions.

Cyber intelligence company Cyble in a June 30 blog post said it had been tracking the malware known as PennyWise — likely named after the monster in Stephen King’s horror novel It — since it was first identified in May.

“Our investigation indicates that the stealer is an emerging threat,” wrote Cyble in a blog post on June 30:

“In its current iteration, this stealer can target over 30 browsers and cryptocurrency applications such as cold crypto wallets, crypto-browser extensions, etc.”

Data stolen from the victim’s system comes in the form of Chromium and Mozilla browser information, including cryptocurrency extension data and login data. It can also take screenshots and steal sessions of chat applications such as Discord and Telegram.

The malware also targets cold crypto-wallets such as Armory, Bytecoin, Jaxx, Exodus, Electrum, Atomic Wallet, Guarda and Coinomi, as well as wallets supporting Zcash (ZEC) and Ether (ETH) by looking for wallet files in the directory and sending a copy of the files to attackers, according to Cyble.

The cybersecurity company noted that the malware is being spread on YouTube mining education videos purporting to be free Bitcoin mining software.

The cybercriminals, or “Threat Actors,” upload videos instructing viewers to visit the link in the description and download the free software while also encouraging them also to disable their antivirus software which enables the malware to run successfully.

Cyble said the attacker had as many as 80 videos on their YouTube channel as of June 30. However, the channel identified has since been removed.

A search by Cointelegraph found similar links to the malware remain on other smaller YouTube channels, with videos promising free nonfungible token (NFT) mining, cracks for paid software, free Spotify premium, game cheats and mods.

Many of these accounts have only been created within the last 24 hours.

Related: Bitcoin stealing malware: Bitter reminder for crypto users to stay vigilant

Interestingly, the malware is designed to stop itself if it finds out the victim is based in Russia, Ukraine, Belarus and Kazakhstan. Cyble also found that the malware converts the victim’s stolen timezone data to Moscow Standard Time (MSK) when the data is sent back to the attackers.

In February, malware named Mars Stealer was identified as targeting crypto wallets that work as Chromium browser extensions such as MetaMask, Binance Chain Wallet or Coinbase Wallet.

Chainalysis warned in January that even “low-skilled cybercriminals” are now using malware to take funds from crypto hodlers, with cryptojacking accounting for 73% of the total value received by malware-related addresses between 2017 and 2021.

Tags
Related Posts
Hackers Stole and Encrypted Data of 5 U.S. Law Firms, Demand 2 Crypto Ransoms
Hackers compromised five United States law firms and demanded two 100 Bitcoin (BTC) (over $933,000 at press time) ransoms from each firm: one to restore access to the data, one to delete their copy instead of selling it. According to data shared with Cointelegraph by cybersecurity firm Emsisoft, the hacker group — called Maze — already started publishing part of the data stolen from the aforementioned firms. Two of the five law firms were hacked within the 24 hours leading to Feb. 1. The hackers published the data on two websites that were shared with the author of this article, …
Bitcoin / Feb. 3, 2020
Malware on Official Monero Website Can Steal Crypto: Investigator
The software available for download on Monero’s (XMR) official website was compromised to steal cryptocurrency, according to a Nov. 19 Reddit post published by the coin’s core development team. The command-line interface (CLI) tools available at getmonero.org may have been compromised over the last 24 hours. In the announcement, the team notes that the hash of the binaries available for download did not match the expected hashes. The software was malicious On GitHub, a professional investigator going by the name of Serhack said that the software distributed after the server was compromised is indeed malicious, stating: “I can confirm that …
Altcoin / Nov. 19, 2019
Crypto hacks are set to hit all-time highs in 2022, analyst explains
Reducing the amount of hacking by improving cybersecurity should be considered a top priority for the crypto industry, said Kim Grauer, director of research of blockchain intelligence firm Chainalysis. As pointed out by the firm, this year could outpace 2021 in terms of crypto stolen through hacks. The vast majority of these exploits have been targeting the field of decentralized finance. “This can't go on in the industry because people are going to lose faith in investing in DeFi platforms”, Grauer said in an interview with Cointelegraph. Unlike centralized exchanges, which have improved their resiliency to crypto hacks, decentralized protocols …
Blockchain / Oct. 19, 2022
Here's how to quickly spot a deepfake crypto scam — cybersecurity execs
Crypto investors have been urged to keep their eyes peeled for "deepfake" crypto scams to come, with the digital-doppelganger technology continuing to advance, making it harder for viewers to separate fact from fiction. David Schwed, the COO of blockchain security firm Halborn told Cointelegraph that the crypto industry is more “susceptible” to deepfakes than ever because “time is of the essence in making decisions” which results in less time to verify the veracity of a video. Deepfakes use deep learning artificial intelligence (AI) to create highly realistic digital content by manipulating and altering original media, such as swapping faces in …
Blockchain / Jan. 13, 2023
Reddit user warns of a copy & paste exploit that stole his crypto
A Reddit user operating under the name “seraf1990” warned of a copy & paste crypto scam that replaced a wallet address he copied from Coinbase with one belonging to scammers. According to seraf1990, he lost about $350 worth of Bitcoin (BTC) — money that he notes was meant to go towards his rent for next month. The post explains that seraf1990 was attempting to cash out some BTC by sending it from Binance to his account on Coinbase. After copying the exchange’s Bitcoin wallet address, he pasted it into the appropriate field back on Binance and completed the transaction “without …
Bitcoin / Aug. 26, 2020