Tuesday , April 1 2025

Hackers Using YouTube as a Malware Distribution Platform Via Hacked YT Channel

Morphisec Threat Labs researchers have recently exposed a sneaky loader called “in2al5d p3in4er” (Invalid Printer) that delivers Aurora information stealer malware through YouTube videos.

Using an advanced anti-VM technique, the in2al5d p3in4er loader, built with Embarcadero RAD Studio, specifically targets endpoint workstations.

Late in 2022, Aurora appeared on the threat landscape for the first time, and it’s an information stealer written in Go programming language.

CVE-2025-1268
Patch urgently! Canon Fixes Critical Printer Driver Flaw

Canon has announced a critical security vulnerability, CVE-2025-1268, in printer drivers for its production printers, multifunction printers, and laser printers....
Read More
CVE-2025-1268  Patch urgently! Canon Fixes Critical Printer Driver Flaw

Within Minute, RamiGPT To Escalate Privilege Gaining Root Access

RamiGPT is an AI security tool that targets root accounts. Using PwnTools and OpwnAI, it quickly navigated privilege escalation scenarios...
Read More
Within Minute, RamiGPT To Escalate Privilege Gaining Root Access

Australian fintech database exposed in 27000 records

Cybersecurity researcher Jeremiah Fowler recently revealed a sensitive data exposure involving the Australian fintech company Vroom by YouX, previously known...
Read More
Australian fintech database exposed in 27000 records

Over 200 Million Info Leaked Online Allegedly Belonging to X

Safety Detectives' Cybersecurity Team found a forum post where a threat actor shared a .CSV file with over 200 million...
Read More
Over 200 Million Info Leaked Online Allegedly Belonging to X

FBI investigating cyberattack at Oracle, Bloomberg News reports

The Federal Bureau of Investigation (FBI) is probing the cyberattack at Oracle (ORCL.N), opens new tab that has led to...
Read More
FBI investigating cyberattack at Oracle, Bloomberg News reports

OpenAI Offering $100K Bounties for Critical Vulns

OpenAI has increased its maximum bug bounty payout to $100,000, up from $20,000, to encourage the discovery of critical vulnerabilities...
Read More
OpenAI Offering $100K Bounties for Critical Vulns

Splunk Alert User RCE and Data Leak Vulns

Splunk has released a security advisory about critical vulnerabilities in Splunk Enterprise and Splunk Cloud Platform. These issues could lead...
Read More
Splunk Alert User RCE and Data Leak Vulns

CIRT alert Situational Awareness for Eid Holidays

As the Eid holidays near, cybercriminals may try to take advantage of weakened security during this time. The CTI unit...
Read More
CIRT alert Situational Awareness for Eid Holidays

Cyberattack on Malaysian airports: PM rejected $10 million ransom

Operations at Kuala Lumpur International Airport (KLIA) were unaffected by a cyber attack in which hackers demanded US$10 million (S$13.4...
Read More
Cyberattack on Malaysian airports: PM rejected $10 million ransom

Micropatches released for Windows zero-day leaking NTLM hashes

Unofficial patches are available for a new Windows zero-day vulnerability that allows remote attackers to steal NTLM credentials by deceiving...
Read More
Micropatches released for Windows zero-day leaking NTLM hashes

Abusing YouTube as a Distribution Platform

Aurora is a commodity malware distributed through fake cracked software download sites and YouTube videos to other threat actors looking to use it.

YouTube has become an attractive distribution platform for threat actors looking to spread malware to access sensitive information.

Due to its mass popularity, YouTube has become one of the first choices for threat actors.

Hackers have found a new way to spread malware by hacking popular YouTube accounts and posting videos with malicious links or downloads through those compromised accounts or channels.

While the hackers also use optimized SEO tags to boost the visibility of videos in search results, which will increase the click-through rate (CTR).

Since threat actors are actively generating handsome revenue by stealing YouTube accounts for a fee, these services are now actively marketed by hackers in several underground forums and marketplaces.

Artificial intelligence (AI) is used by the service to generate videos, making it easier and quicker to create budget-backed content that looks convincing.

Victims who click on the links in YouTube video descriptions are taken to fake websites that trick them into downloading malware disguised as legitimate software.

To appear legitimate, these fake websites use the following things to create the illusion that they are real:-

  • Similar URLs
  • Similar logos
  • Similar branding

These decoy websites convince users to download applications containing malware and trick them into entering their sensitive or personal information.

Technical analysis

Morphisec asserted that this loader checks the vendor ID of a system’s graphics card and terminates itself if the value doesn’t match a list of approved IDs, which includes:-

  • AMD
  • Intel
  • NVIDIA

Using a technique called “process hollowing,” the loader decrypts the final payload and injects it into a genuine process called “sihost.exe.”

While injecting the final payload into the legitimate process, the loader dynamically decrypts all the required Windows API and uses the XOR key ‘in2al5d p3in4er‘ to decrypt the API names.

The loader employs Embarcadero RAD Studio to create executable files that can be used on various platforms, which helps it evade detection by security software.

Malware loaders like in2al5d p3in4er are the building blocks of an attack, providing an initial foothold between the attacker and the compromised system.

They serve as a crucial first stage, facilitating the delivery of more complex and damaging payloads.

The threat actors are responsible for in2al5d p3in4er malware are leveraging social engineering tactics and using them in combination with the malware to create a significant impact.

They target popular YouTube accounts to redirect the viewers to fake and legitimate-looking websites.

To prevent attacks from in2al5d p3in4er, educating employees about identifying social engineering schemes is crucial.

Source: Cybersecuritynews

Check Also

million

Oracle refutes breach after hacker claims 6 million data theft

A hacker known as “rose87168” claims to have stolen six million records from Oracle Cloud …

Leave a Reply

Your email address will not be published. Required fields are marked *