Malware operators are currently spreading a malicious YouTube bot that could artificially increase the rankings of videos on the streaming platform and steal critical data from browsers. Based on reports, the bot retrieves commands from a command-and-control server for other illegal actions.
Researchers discovered that the actors launched the YouTube bot malware as a 32-bit executable file compiled by a [.]NET feature. In addition, four argument strings, including the video duration, like, comment, and video ID, are needed to operate the executable file.
The malware then runs an AntiVM review to prevent malware detection from researchers in a virtual environment upon execution. If the AntiVM check identifies that it is operating in a secured or controlled environment, it will stop the execution.
Furthermore, the malware develops mutex, copies itself in another folder under the name AvastSecurity[.]exe and runs it through cmd[.]exe. The latest mutex aids the malware in establishing persistence and makes a task scheduler entry.
The AvastSecurity[.]exe file could harvest autofill, login data, and cookies from the installed Chrome browsers on the victim’s network. The malware summons the YouTube Playwright function by passing the arguments, browser path, and cookie information to view the specified video.
The YouTube bot uses Playwright to execute standard streaming features.
According to investigations, the malicious YouTube bot deploys the browser context with the parameters. It utilises the YouTube Playwright feature to automate activities like liking, commenting, and viewing YouTube videos.
Subsequently, the malware links to a command-and-control server and recovers the command to remove the scheduled task entry. It stops its process, download and executes other files, extracts log files to the C2 server, and play/pause a YouTube video.
The malware then reviews if the targeted system has the required dependencies, such as the Playwright package and the Google Chrome browser. If these dependencies are not present within the device, the malware will download and install them when it receives the command.
YouTube content creators should avoid using bots for video boosting since some bots could be malware that could unfairly boost their rankings and steal their sensitive information.
