The new crypto Malware spreading via Youtube

According to an article I just read, the malware Pennywise acts as a free bitcoin mining software, which is often advertised via a Youtube video. The threat it poses is that it steals browser data and information regarding crypto wallets.

The malware obtains the path to different web browsers it targets such as Chrome-based browsers, some Mozilla-based browsers, Opera, and Edge. It then grabs the username, machine name, system language, and time zone from the victim's machine and converts it to Russian Standard time, saving everything in a hidden folder in the AppData/Local directory. It then tries to determine which kind of environment its running in through anti-analysis and anti-detection tricks; it stops if it detects that its running in a virtual machine.

Once all the relevant checks have been done by the malware, it starts multithreading for efficiency, with over 10 threads being created with each being in charge of a different operation. Apparently, the malware only steals RTF, DOC, DOCX, TXT, and JSON files less than 20kb, which are then saved in a hidden folder called grabber.It also steals all known browser data such as login credentials, cookies, encryption keys, and master passwords if it detects a browser it knows along with Discord tokens and Telegram sessions while screenshotting each of the user's screen. It also targets cryptocurrency related extensions in Chrome based browsers

Next, the created registry is then queried in search of crypto wallets such as those belonging to Bitcoin, Litecoin, and Dash before targeting cold storage wallets such as Exodus, Electrum, Jaxx, Guarda, Coinomi, Zcash and Atomic Wallet. The wallet files are then stolen from a list of predefined folders.

Finally, once it collects all the relevant data, it compresses them and sends it over to an attacker controlled server before its deleted from the computer, which hides its tracks.