Its name is “PennyWise”, after the clown of Stephen King’s famous “It”, and is a new type of malware that spreads via YouTube, exploiting educational videos on Bitcoin mining. The ill-intentioned upload some videos inviting viewers to visit the link in the description and download a free software. In fact, the software is designed to steal data from 30 cryptocurrency wallets and browser extensions. Similar links are present on many YouTube channels, even recently created. The videos promise free mining, NFT drops, plus video game cheats, paid software cracks, cracked paid service accounts. It is also indicated to disable the antivirus, to close with a flourish.
Malware targeting crypto wallets is very common. In February, for example, a malware called Mars Stealer was identified, which targets wallets that function as extensions to Chromium browsers, such as MetaMask, Binance Chain Wallet or Coinbase Wallet. Cryptojacking represents 73% of the total capital received by malware-related addresses between 2017 and 2021.
Malware can steal victim’s browser data, login information; can take chat screenshots on applications such as Discord and Telegram. The malware also targets cold wallets such as Armory, Bytecoin, Jaxx, Exodus, Electrum, Atomic Wallet, Guarda, and Coinomi, looking for wallet-related files in the directory and sending a copy to hackers.
Cyber security firm Cyble said one of the criminals they surveyed had about 80 videos on their YouTube channel. Channel that was later removed. The malware is designed to crash if it discovers that the victim is based in Russia, Ukraine, Belarus, and Kazakhstan. Cyble also found that the malware converts the victim’s stolen time zone data into Moscow Standard Time (MSK).
