Google’s Threat Analysis Group tracks actors involved in disinformation campaigns, government backed hacking, and financially motivated abuse. Since late 2019, our team has disrupted financially motivated phishing campaigns targeting YouTubers with Cookie Theft malware.
The actors behind this campaign, which we attribute to a group of hackers recruited in a Russian-speaking forum, lure their target with fake collaboration opportunities (typically a demo for anti-virus software, VPN, music players, photo editing or online games), hijack their channel, then either sell it to the highest bidder or use it to broadcast cryptocurrency scams.
In collaboration with YouTube, Gmail, Trust & Safety, CyberCrime Investigation Group and Safe Browsing teams, our protections have decreased the volume of related phishing emails on Gmail by 99.6% since May 2021. We blocked 1.6M messages to targets, displayed ~62K Safe Browsing phishing page warnings, blocked 2.4K files, and successfully restored ~4K accounts. With increased detection efforts, we’ve observed attackers shifting away from Gmail to other email providers (mostly email.cz, seznam.cz, post.cz and aol.com). Moreover, to protect our users, we have referred the below activity to the FBI for further investigation.
In this blog, we share examples of the specific tactics, techniques and procedures (TTPs) used to lure victims, as well as some guidance on how users can further protect themselves.
Tactics, techniques and procedures
Cookie Theft, also known as “pass-the-cookie attack,” is a session hijacking technique that enables access to user accounts with session cookies stored in the browser. While the technique has been around for ” mode in your Chrome browser, a feature that increases warnings on potentially suspicious web pages & files.
Additional resources: Avoid & Report Phishing Emails.
Technical Details
Related Malware hashes:
- RedLine (commodity)
- c8b42437ffd8cfbbe568013eaaa707c212a2628232c01d809a3cf864fe24afa8
- 501fe2509581d43288664f0d2825a6a47102cd614f676bf39f0f80ab2fd43f2c
- c8b42437ffd8cfbbe568013eaaa707c212a2628232c01d809a3cf864fe24afa8
- Vidar (commodity)
- 9afc029ac5aa525e6fdcedf1e93a64980751eeeae3cf073fcbd1d223ab5c96d6
- Kantal (share code similarity with Vidar)
- F59534e6d9e0559d99d2b3a630672a514dbd105b0d6fc9447d573ebd0053caba (zip archive)
- Edea528804e505d202351eda0c186d7c200c854c41049d7b06d1971591142358 (unpacked sample)
- Predator The Thief (commodity)
- 0d8cfa02515d504ca34273d8cfbe9d1d0f223e5d2cece00533c48a990fd8ce72 (zip archive)
- Sorano (open source)
- c7c8466a66187f78d953c64cbbd2be916328085aa3c5e48fde6767bc9890516b
- Nexus stealer (commodity)
- ed8b2af133b4144bef2b89dbec1526bf80cc06fe053ece1fa873f6bd1e99f0be
- efc88a933a8baa6e7521c8d0cf78c52b0e3feb22985de3d35316a8b00c5073b3
- Azorult (commodity)
- 8cafd480ac2a6018a4e716a4f9fd1254c4e93501a84ee1731ed7b98b67ab15dd
- Raccoon (commodity)
- 85066962ba1e8a0a8d6989fffe38ff564a6cf6f8a07782b3fbc0dcb19d2497cb
- Grand Stealer (commodity)
- 6359d5fa7437164b300abc69c8366f9481cb91b7558d68c9e3b0c2a535ddc243
- Vikro Stealer (commodity)
- 04deb8d8aee87b24c7ba0db55610bb12f7d8ec1e75765650e5b2b4f933b18f6d
- Masad (commodity)
- 6235573d8d178341dbfbead7c18a2f419808dc8c7c302ac61e4f9645d024ed85
- AdamantiumThief (open source)
- Db45bb99c44a96118bc5673a7ad65dc2a451ea70d4066715006107f65d906715
Top Phishing Domains:
- pro-swapper[.]com
- downloadnature[.]space
- downloadnature[.]com
- fast-redirect[.]host
- bragi-studio[.]com
- plplme[.]site
- fenzor[.]com
- universe-photo[.]com
- rainway-gaming[.]com
- awaken1337[.]xyz
- pixelka[.]fun
- vortex-cloudgaming[.]com
- vontex[.]tech
- user52406.majorcore[.]space
- voneditor[.]tech
- spaceditor[.]space
- roudar[.]com
- peoplep[.]site
- anypon[.]online
- zeneditor[.]tech
- yourworld[.]site
- playerupbo[.]xyz
- dizzify[.]me
Source : Phishing campaign targets YouTube creators with cookie theft malware
