A craving for freebies can be expensive. A malware called Pennywise (apparently named after the creepy clown from Stephen King’s book It), capable of stealing cryptocurrency, is spreading on YouTube. The danger comes from links that users can click on under the videos. Attackers had about 80 videos on their channel as of June 30 (now they have been removed). But similar dangerous links to the malware remain on other smaller channels, with clips promising free NFT mining, crack codes for commercial programs, free Spotify Premium, game cheats, and mods. Researchers from Cyble Research Labs were the first to find this.
Pennywise stealer targets are Zcash, Ethereum, Armory, Bytecoin, Jaxx, Exodus, Electrum, Coinomi, and Atomic wallets. It also can focus on over 30 browsers and cryptocurrency applications such as cold crypto wallets, browser extensions, etc. The stealer is built using an unknown crypter which makes the debugging process tedious. It uses multithreading to steal user data and creates over ten threads, enabling faster execution and stealing.
“When users visit the link, the Threat Actor (TA) instructs them to download the malware hosted on the file hosting service. The malware file is zipped and password protected. To appear legitimate, the TA has shared a VirusTotal link of a clean file that is not related to the file available for download. The TA also tricks the users into disabling their antivirus for successful malware execution. The zip file contains an installer that drops the Pennywise stealer, executes it, and finally, the stealer exfiltrates the victim’s data to the C&C server,” the survey says.
Malware targets the following browsers:
The brand new newsletter with insights, market analysis and daily opportunities.
Let’s grow together!
Once the browser path is obtained, the malware fetches username, machine name, system language, and timezone details from the victim’s system. The malware retrieves the system language code using the CultureInfo class and gets the graphic driver and processor names of the victim’s machine using a WMI query. After this, it creates a string to generate an MD5 hash.
Pennywise tries to identify the victim’s country using the CultureInfo class and terminates its execution if the victim is based outside Russia, Ukraine, Belarus, and Kazakhstan. It could indicate that the TA is trying to avoid scrutiny by Law Enforcement Agencies in those countries.
The Depository Trust & Clearing Corporation (DTCC), the world's largest securities settlement system, alongside blockchain…
Canadian authorities have charged Aiden Pleterski, a self-proclaimed "crypto king" and well-known social media figure,…
Recent 13F filings with the U.S. Securities and Exchange Commission (SEC) show that over 600…
Switzerland is taking steps to align with international crypto tax reporting standards by planning to…
Hey Crypto Enthusiasts! 👋 🚀 The crypto market is flying up Bitcoin and altcoins…
Since the beginning of April, the cryptocurrency market has seen the creation of over one…