Malicious Trojan Traps Victims Using Misleading YouTube Comments

A new malicious Trojan has been discovered, and it was dubbed Trojan.PWS.Stealer.23012 by the malware research group that found it. This malicious threat, as the name reveals, is a password stealer, and, once installed, it can record all kinds of sensitive information without the victim knowing about it at all. Unfortunately, there are hundreds and thousands of infections that can do that, and protecting the operating system is crucial to keep virtual security intact. This new Trojan, however, is unique in the way it is distributed. It was discovered that this threat is spread via malicious links that are added to the YouTube’s comment section. It is possible that the malicious link is spread using other platforms as well, but, for now, it appears that YouTube users are the main target. Without a doubt, every victim wants to remove Trojan.PWS.Stealer.23012, but, unfortunately, in some cases, it might be too late.


According to the latest research, the comments that represent the malicious link to the launcher of Trojan.PWS.Stealer.23012 might be out of context, which means that they might be automatically generated. If the comment does not correspond to the video or other comments, it should be obvious that it is misplaced and that it is not genuine, but users need to be cautious about more personalized comments as well. The rule of thumb is that if the comment includes a link, clicking on it is not recommended because this links is a security backdoor that could lead anywhere. In this case, unfortunately, the link is corrupted. If the user is tricked into clicking it, they are routed to Yandex Disk servers, where they are introduced to yet another link. This one represents a self-unpacking RAR SFX file that includes the launcher of the malicious Trojan. The threat is executed silently, and the victim is unlikely to notice the threat soon enough. Needless to say, if Trojan.PWS.Stealer.23012 is not deleted in time, it springs into action.

As soon as the threat slithers in, it hijacks the cookies that are stored on the web browser (Amigo, Chrome, Dragon, Kometa, Opera, Orbitum, Torch, Vivaldi, or Yandex) to collect information. It also records the login data that is stored on the browser, and so if the user’s passwords and user names are recorded to log them in automatically, all of them are stolen. It was also discovered that Trojan.PWS.Stealer.23012 copies the files that are located on the Desktop. These are the types of files that the threat records: .bak, .db, .doc, .docx, .jpg, .pdf, .png, .sql, .sqlite, .sqlite3, .txt, .xls, and .xml. When the information is recorded, it is stored in a file called “,” which is located in a newly created folder with random characters in its name (e.g., PG148892HQ8). The data is then sent to a C&C server, where cyber criminals can access it as they please. Unfortunately, they could use it to illegally impersonate the victims online and use their names to spread malware or gain access to sensitive (e.g., online bank) accounts.

This is not the first time when comments on YouTube were used to spread malware. Back in 2009, Panda Security reported that 30,000 videos on the video-sharing platform contained malicious links designed to download malware. More recently, in 2015, F-Secure researchers found that comments placed by malicious parties were used by the actors behind the Janicab Trojan, who used them to hide IP addresses for the C&C servers. In this case, malicious software was used to connect to YouTube and convert random numbers to IP addresses that would then be used to send stolen information. This only proves how important it is to be cautious about random comments and links. All in all, YouTube is not the only platform that malicious parties could exploit. Facebook, Instagram, Twitter, and other popular social-networking platforms can be used in the same ways as well, which is why it is crucial to be vigilant and careful at all times.

N.B. Your first line of defense should be authentic and reliable anti-malware software. It can be extremely difficult to circumvent every single malicious link, ad, pop-up or downloader online, and so you need to be prepared for them time when you face all that. If you need advice or help choosing the right security tool, do not hesitate to post a comment below.


Dr.WEB. March 26, 2018. Trojan.PWS.Stealer.23012. Dr.WEB.
FSLabs. April 22, 2015. Janicab Hides Behind Undocumented LNK Functionality. F-Secure Labs.
Panda Security Media Center. May 21, 2009. Almost 30,000 videos on YouTube contain comments with links to a malicious Web page, reports PandaLabs. PandaLabs.