Threat actors behind a banking trojan are using YouTube to hide their malicious actions. The actors are uploading legitimate videos to YouTube but in the video description box place a command and control (C&C) server domain. C&C servers are used to keep communications ongoing between them and their victim’s systems. Keeping this line of communication open is crucial for attackers to move laterally within networks.
What is Casbaneiro?
The malware used in this campaign is Casbaneiro, the sixth most used banking trojan used in Latin America. This malware has also been seen in multiple instances by FireEye, Cisco, and enSilo. Like most malware, Casbaneiro uses social engineering techniques to get the victim to take action which results in data theft/exfiltration.
The trojan gathers the username, computer name, OS version, all installed antivirus, and checks for installed banking software like Diebold Warsaw GAS Technologia or Trusteer on the victim’s network. Further, the trojan can take screenshots, take control of the mouse/keyboard and download executables.
Researchers believe Casbaneiro is spread through malicious emails containing phishing links. The emails usually speak of urgency regarding financial institutions. Once the links are clicked, the payload installs the actual software and the malware. This method reduces any chance of suspicion.
The operators behind the trojan put a lot of thought into hiding the C&C server. They use several methods to hide the servers. The simplest of which hides uses encrypts the domain and the advanced method which embeds the data in a document online, such as Google Docs.
Researchers at ESET discovered two YouTube channels embedding the C2 server domains in the description boxes. These channels which focus on cooking and soccer, both popular topics in Latin America. The domain is located at the end of the description and the link is embedded in a fake Facebook or Instagram URL.
Unfortunately, YouTube’s current policies and procedures do not check links that are located in the description box of videos. Further, the link can easily be missed and visiting YouTube is not considered unusual to where it would raise suspicion.
Contact LIFARS Right Away if your organization was hit with a data breach
Image Credit: Bleepingcomputer