www.csoonline.com
Open in
urlscan Pro
151.101.130.165
Public Scan
URL:
https://www.csoonline.com/article/3693909/hard-to-detect-malware-loader-distributed-via-ai-generated-youtube-videos.html
Submission: On April 19 via api from TR — Scanned from DE
Submission: On April 19 via api from TR — Scanned from DE
Form analysis 1 forms found in the DOM
<form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8">
<table cellspacing="0" cellpadding="0" role="presentation" class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<div class="gsc-input-box" id="gsc-iw-id1">
<table cellspacing="0" cellpadding="0" role="presentation" id="gs_id50" class="gstl_50 gsc-input" style="width: 100%; padding: 0px;">
<tbody>
<tr>
<td id="gs_tti50" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="search" aria-label="search" id="gsc-i-id1" dir="ltr" spellcheck="false" placeholder="Start Searching"
style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; outline: none;"></td>
<td class="gsib_b">
<div class="gsst_b" id="gs_st50" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb50" aria-hidden="true">×</span></a></div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
<td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13">
<title>search</title>
<path
d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
</path>
</svg></button></td>
<td class="gsc-clear-button">
<div class="gsc-clear-button" title="clear results"> </div>
</td>
</tr>
</tbody>
</table>
</form>Text Content
Close Ad cso online GERMANY * United States * ASEAN * Australia * India * United Kingdom * Germany × search More from the Foundry Network * About Us | * Contact | * Republication Permissions | * Privacy Policy | * Cookie Policy | * European Privacy Settings | * Member Preferences | * Advertising | * Foundry Careers | * Ad Choices | * E-commerce Links | * California: Do Not Sell My Personal Info | * Follow Us * * * × Close * Hackers steal crypto assets by defeating 2FA with rogue browser extension * RELATED STORIES * Attack campaign uses PHP-based infostealer to target Facebook business accounts * SPONSORED BY Advertiser Name Here Sponsored item title goes here as designed * Russian hacktivists deploy new AresLoader malware via decoy installers * Researchers warn of two new variants of potent IcedID malware loader * Home * Security * Malware News Analysis HARD-TO-DETECT MALWARE LOADER DISTRIBUTED VIA AI-GENERATED YOUTUBE VIDEOS THE NEW MALWARE LOADS THE AURORA INFOSTEALER AND CAN AVOID BEING EXECUTED IN VIRTUAL MACHINES OR SANDBOXES FOR ANALYSIS. * * * * * * * By Lucian Constantin CSO Senior Writer, CSO | 18 April 2023 20:03 Kevin (CC0) Security researchers warn of a new malware loader that's used as part of the infection chain for the Aurora information stealer. The loader uses anti-virtual-machine (VM) and unusual compilation techniques that seem to make it quite successful at avoiding detection by security solutions. The Aurora infostealer is written in Go and is operated as a malware-as-a-service platform that's advertised on Russian-language cybercrime forums. It started gaining popularity among cybercriminals at the end of last year because it is modular and can also be used as a malware downloader to deploy additional payloads in addition to its core functionality of stealing data and credentials from multiple web browsers, cryptocurrency wallets, and local applications. AURORA INFOSTEALER DISTRIBUTED IN YOUTUBE VIDEOS Cybercriminals distribute Aurora in multiple ways, but a recent trend has been to post AI-generated videos in the form of tutorials for installing cracked software and game hacks. This is a more general distribution trend for multiple infostealer programs and usually involves hacking into existing YouTube accounts and publishing a batch of five or six rogue videos immediately. The YouTube accounts are taken over using credentials from older data breachers or collected by the infostealer programs themselves. The videos are generated using specialized AI-based video platforms like D-ID or Synthesia and involve human personas going through a script and telling users to download the software from the link in the description. The attackers also use search engine optimization (SEO) techniques by adding a lot of tags to the videos to make them reach a wider audience. Researchers from security firm Morphisec recently investigated several such YouTube campaigns that led to Aurora infections. However, the first step in the infection chain was a new malware loader they dubbed "in2al5d p3in4er," after a string that's used as a decryption key in its code. The p3in4er loader is the executable that users are offered to download from the websites posted in the rogue descriptions of the YouTube tutorial videos. These websites were generated with a service that can create clones of legitimate websites, using all the branding elements and application logos and icons to make them more credible. MALWARE LOADER ABLE TO DETECT VIRTUAL MACHINES P3in4er has an unusually low detection rate on VirusTotal and is especially good at evading solutions that execute files in virtual machines or sandboxes to observe their behavior. That's because the malicious executable uses the CreateDXGIFactory function of the dxgi.dll library to extract the vendor ID of the graphics card that exists on the system. The code then checks if these vendor IDs match Nvidia, AMD or Intel and if they don't, the code stops executing. In other words, this is essentially a way to check if the system has a physical graphics card or not, because virtual machines and sandboxes typically don't. If the check passes, the malware will use a process hollowing technique to inject malicious code chunks into sihost.exe (Microsoft's Shell Infrastructure Host), the Morphisec researchers said. "During the injection process, all loader samples resolve the necessary Win APIs dynamically and decrypt these names using a XOR key: in2al5d p3in4er (invalid printer)." Finally, another unusual characteristic of this loader is that it was generated using Embarcadero RAD Studio, an integrated development environment for writing native cross-platform applications. The various samples showed that the creators are experimenting with compiling options from RAD Studio. "Those with the lowest detection rate on VirusTotal are compiled using 'BCC64.exe,' a new Clang based C++ compiler from Embarcadero," the researchers said. "This compiler uses a different code base such as 'Standard Library' (Dinkumware) and 'Runtime Library' (compiler-rt) and generates optimized code which changes the entry point and execution flow. This breaks security vendors’ indicators, such as signatures composed from malicious/suspicious code block." The Morphisec report contains file hashes and other indicators of compromise. Even though this loader currently has a low detection rate, the first defense against such attacks is not falling for the social engineering tricks in the first place. Companies should train employees on how to spot unusual URLs or fake websites and, of course, to never download cracked software or game hacks on their computers in the first place, even if they use a personal computer for work. Next read this * The 10 most powerful cybersecurity companies * 7 hot cybersecurity trends (and 2 going cold) * The Apache Log4j vulnerabilities: A timeline * Using the NIST Cybersecurity Framework to address organizational risk * 11 penetration testing tools the pros use Related: * Malware * Cybercrime Lucian Constantin is a senior writer at CSO, covering information security, privacy, and data protection. Follow * * * * * Copyright © 2023 IDG Communications, Inc. 7 hot cybersecurity trends (and 2 going cold) CSO Online CSO provides news, analysis and research on security and risk management Follow us * * * * About Us * Contact * Republication Permissions * Privacy Policy * Cookie Policy * European Privacy Settings * Member Preferences * Advertising * Foundry Careers * Ad Choices * E-commerce Links * California: Do Not Sell My Personal Info Copyright © 2023 IDG Communications, Inc. Explore the Foundry Network descend * CIO * Computerworld * CSO Online * InfoWorld * Network World CSO WANTS TO SHOW YOU NOTIFICATIONS -------------------------------------------------------------------------------- YOU CAN TURN OFF NOTIFICATIONS AT ANY TIME FROM YOUR BROWSER Accept Do not accept POWERED BY SUBSCRIBERS