Cybercriminals using fake YouTube video downloaders to install proxyjacking malware

A recent report from the AhnLab Security Intelligence Center (ASEC) has shed light on a new and growing trend in cybercrime: the use of fake YouTube video downloaders to secretly install "proxyjacking" malware. This scheme targets users seeking free tools, turning their computers into unwitting participants in a malicious network and exploiting their internet bandwidth for profit.

How it works

Threat actors, who appear to be financially motivated, distribute links to these sites through search engine optimization (SEO) poisoning, ensuring they appear high in search results when users look for terms like "YouTube video downloader."

Once a user visits one of these sites, they are prompted to enter a YouTube video URL and then click a "Download Now" button. Instead of receiving a video file, they are redirected to an ad-laden page or a direct download link for malware.

The malicious file, often disguised as a seemingly harmless application like "QuickScreenRecorder.exe," is actually a proxyware installer.

The proxyware installed by this campaign is most often from services like DigitalPulse or Honeygain. These are legitimate-looking "proxyware" services that allow users to get paid for sharing their internet bandwidth with others. However, in this case, the malware installs the software without the user's consent, and the cybercriminals pocket all the earnings.

Why is this dangerous?

This type of attack, known as "proxyjacking," is gaining traction because it's a low-profile, high-reward enterprise for cybercriminals.

Unlike more visible attacks like ransomware or cryptojacking, which can cause systems to slow down or even crash, proxyjacking malware is designed to be stealthy. It leaves a minimal CPU footprint and instead hijacks network resources, making it difficult for the average user to detect.

The stolen bandwidth is then sold to legitimate-looking proxy networks. The victims' devices become part of a large, anonymous network of IP addresses that can be used for various purposes, including web scraping, bypassing geographic restrictions, and even conducting other, more sophisticated cyberattacks.

The bigger picture

This campaign is yet another example of cybercriminals leveraging social engineering and common user behavior to distribute malware.

The lure of "free": The attackers capitalize on the universal desire for free software and content. By offering a "free" service, they create a perfect opportunity to bypass the user's better judgment.

Abuse of legitimate services: The fact that the attackers are using legitimate proxyware services highlights a complex and ethically murky area of the internet. While the services themselves are not malicious, their business model makes them an attractive target for abuse.

The supply chain of crime: The use of compromised websites, fake installers on GitHub, and redirect services shows a well-organized and modular approach to cybercrime. Threat actors can easily swap out different components of their attack chain to evade detection and continue their operations.

AhnLab has urged users to be extremely cautious about downloading executable files from unofficial and suspicious websites.