Morphisec Threat Labs researchers have discovered a stealthy loader known as "in2al5d p3in4er" (Invalid Printer), which distributes Aurora information stealer malware via YouTube videos.
The in2al5d p3in4er loader, created with Embarcadero RAD Studio, primarily targets endpoint workstations using an advanced anti-VM method. Aurora, an information stealer developed using the Go programming language, first appears on the threat scene in late 2022.
Using YouTube as a Distribution Platform Without Permission:
Aurora is a commodity malware that is spread to other threat actors via bogus cracked software download sites and YouTube videos. YouTube has become a popular distribution platform for threat actors aiming to transmit malware and gain access to sensitive data.
YouTube has become one of the top choices for threat actors due to its widespread popularity. Hackers have discovered a new method of spreading malware by hacking prominent YouTube accounts and distributing movies containing harmful links or downloads via those compromised accounts or channels.
While hackers utilize specialized SEO tags to raise the exposure of videos in search results, increasing the click-through rate (CTR).
Since threat actors actively collect substantial revenue by stealing YouTube accounts for a fee, hackers are openly marketing these services in underground forums and markets. The service generates videos using artificial intelligence (AI), making it easier and faster to make budget-backed material that appears credible.
Victims who click on links in YouTube video descriptions are sent to phoney websites where they are tricked into installing malware disguised as legal software. These bogus websites use the following techniques to give the impression that they are genuine:
- Similar URLs
- Similar logos
- Similar branding
These spoof websites persuade visitors to download malware-infected programs and trick them into submitting sensitive or personal information.
Technical analysis:
According to Morphisec, this loader analyses the vendor ID of a system's graphics card and terminates itself if the value does not match a list of permitted IDs, which includes:
- AMD
- Intel
- NVIDIA
Using a method known as "process hollowing," the loader decrypts the final payload and injects it into a legitimate process known as "sihost.exe." The loader dynamically decrypts all required Windows API and utilizes the XOR key 'in2al5d p3in4er' to decrypt the API names while injecting the final payload into the legitimate process.
The loader uses Embarcadero RAD Studio to generate executable files that may be run on several platforms, allowing it to avoid detection by security software. Malware loaders, such as in2al5d p3in4er, are the foundation of an attack, giving a first point of contact between the attacker and the infected machine.
They are an important first stage in the delivery of more complicated and devastating payloads. The threat actors behind in2al5d p3in4er malware are exploiting social engineering approaches and combining them with the malware to make a major impact.
They target popular YouTube accounts in order to drive users to bogus and legitimate-looking websites. It is critical to educate staff on spotting social engineering methods in order to prevent attacks from in2al5d p3in4er.
Please do not enter any spam link in the comment box.