This article covers a malware campaign discovered by CloudSEK and investigated by Morphisec. Attackers use YouTube to distribute hacked software with malicious links. We describe the workings of the malicious downloader and evasion techniques used.
In mid-March, we discussed the malware campaign uncovered by CloudSEK in general terms. The attackers shared instructions for hacking popular software such as Photoshop, Premiere Pro, 3ds Max, and AutoCAD on the YouTube video hosting platform, accompanied by malicious links.
Morphisec cybersecurity researchers investigated the same campaign and detailed how a malicious downloader called "in2al5d p3in4er" (pronounced "invalid printer") works. The downloader is utilized by the attackers to distribute the Aurora infostealer, a Go-based information stealer that surfaced in the wild (ITW) in late 2022.
As we previously reported, the attackers use hacked or "deceptive" YouTube channels with a large number of subscribers, along with avatars that use a robotic voice generated by the program. While other options for videos leading to downloading password-protected archives from legitimate file hosting services like MediaFire exist on the vastness of video hosting platforms, in some cases, links to YouTube lead to phishing sites with a catalog of hacked software, as noted by experts.
Morphisec told that the loader uses a very simple but really effective evasion technique. It requests the vendor ID of the installed video card and compares it to the whitelist, particularly for NVIDIA, AMD, and Intel video cards. If the provider ID does not match the whitelisted values, the loader poses as a secure application and exits.
In contrast, in2al5d p3in4er decrypts the final payload and injects it into the legitimate "sihost.exe" process using Process Hollowing. Alternatively, certain loader instances also write the decrypted payload to allocated memory space and then call it from there.
The use of Embarcadero RAD Studio for compilation is another important aspect of the bootloader, allowing in2al5d p3in4er to avoid detection. This bootloader can also bypass sandboxes and virtual machines.
Apparently, the attackers behind this uploader continue to be very successful in exploiting social engineering methods since malicious videos are still available on YouTube. Furthermore, even VirusTotal frequently fails to recognize in2al5d p3in4er as a threat. Thus, the only genuine protection against malware is to completely abstain from downloading cracked software.