PennyWise malware is spread via YouTube to steal crypto wallets

PennyWise Malware YouTube Crypto Wallets Cryptocurrency Bitcoin Social Engineering

Security researchers have recently observed multiple samples of the PennyWise malware, as dubbed by its developers. The malware was considered an active threat due to its movements in the threat landscape, including stealing browser data and crypto assets from its victims.

Based on an analysis of the PennyWise malware, its operators spread it through the video-streaming platform YouTube, wherein the malware is advertised as a fake Bitcoin mining software. Once the victims download the advertised software from the attached link on the video, they will unknowingly download the PennyWise malware into their machines instead and get infected by it.

In appearing as legitimate software, the operators password-protect the archive file, which researchers believe to be a social engineering tactic to gain the victims’ trust. Furthermore, the operators also include a link to VirusTotal to prove to the victims that the file is safe from viruses.


The PennyWise malware steals data through an obfuscated crypter tool and uses a multithreading technique in its processes.


The malware obtains a path for different web browsers inside the computer and will start harvesting the victim’s operating system username, system language, computer name, and timezone. The researchers also noted that once the malware identified the victim’s country as Russia, Ukraine, Belarus, or Kazakhstan, it would immediately halt the attack.

Suppose the malware proceeds with the operation; it would begin checking the computer’s environment, launch anti-detection methods, and determine the working antivirus tools. After all these checks, the PennyWise malware launches the multithreading process, with over ten threads created, each designated to different operations.

It must also be noted that the malware only collects DOC, JSON, RTF, and TXT files smaller than 20 kilobytes. These files would be stored in an obfuscated ‘grabber’ folder created by the malware. Furthermore, the malware collects a browser’s login credentials, cookies, master passwords, encryption keys, Discord tokens, and Telegram sessions. PennyWise would also take a screenshot of the victim’s computer screen.

As for its main objective, the malware will begin hunting for the victim’s cryptocurrency wallets and cold storage wallets, including Bitcoin, Dash, Zcash, Ethereum, and Atomic Wallet, among others.

After all the malware’s job is completed, it compresses the collected files and is sent to the threat operator’s C2 server before being deleted.

Per usual advice, users must not download files from suspicious links and third-party websites. Also, if these links instruct to turning off the antivirus tools on a computer, then there is a high chance for it to be malware.

About the author

Leave a Reply