The malware scans your chat logs, steals your browser extension and login information, and targets Zcash and Ethereum wallets in addition to Electrum, Atomic Wallet, and Coinomi.
A new type of cryptocurrency malware is spreading through YouTube, luring users into downloading programs that are intended to steal data from 30 different cryptocurrency wallets and browser extensions.
The spyware known as PennyWise, possibly named after the creature in Stephen King’s horror novel It, has been under surveillance since May, according to a blog post by cyber intelligence firm Cyble.
“Our investigation indicates that the stealer is an emerging threat,” wrote Cyble in a blog post on June 30:
“In its current iteration, this stealer can target over 30 browsers and cryptocurrency applications such as cold crypto wallets, crypto-browser extensions, etc.”
Chromium and Mozilla browser data, including login information and Bitcoin extension data, were stolen from the victim’s PC. Chat programs like Discord and Telegram can also be used to steal sessions and take screenshots.
According to Cyble, the malware also targets cold crypto-wallets that support Zcash (ZEC) and Ether (ETH) by searching for wallet files in the directory and transmitting a copy of the data to attackers. These wallets include Armory, Bytecoin, Jaxx, Exodus, Electrum, Atomic Wallet, Guarda, and Coinomi.
The cybersecurity firm warned that YouTube mining tutorial videos posing as free Bitcoin mining software are where the infection is being propagated.
The “Threat Actors,” or hackers, post videos to which they urge viewers to visit the link in the description and download the free software, as well as to turn off their antivirus programs, which makes it possible for the malware to operate successfully.
As of June 30, according to Cyble, the attacker had as many as 80 videos posted to their YouTube channel. The identified channel, nevertheless, has since been deleted.
Following a search, similar connections to the malware were discovered on smaller YouTube channels, where videos advertised free nonfungible token (NFT) mining, paid software cracks, free Spotify premium, and game mods and hacks.
A lot of these accounts were only made in the last 24 hours.
A curious feature of the malware is that it is programmed to terminate itself if it determines that the victim is located in Russia, Ukraine, Belarus, or Kazakhstan. Additionally, Cyble discovered that when the malware sends the victim’s stolen timezone data back to the attackers, it transforms it to Moscow Standard Time (MSK).
Malware known as Mars Stealer was discovered to target cryptocurrency wallets including MetaMask, Binance Chain Wallet, and Coinbase Wallet that function as Chromium browser extensions in February.
Even “low-skilled” cybercriminals are increasingly deploying malware to steal money from cryptocurrency hodlers, according to a January warning from Chainalysis. Cryptojacking accounted for 73% of the total value acquired by malware-related addresses between 2017 and 2021.