- Cybercriminals have coerced YouTube content creators into distributing the SilentCryptoMiner malware by filing fraudulent copyright claims
- Attackers have posed as developers of legitimate tools and threatened YouTubers with channel bans unless they share malicious links
- This campaign has resulted in over 2,000 infections, primarily in Russia, as reported by cybersecurity firm Kaspersky
Cybercriminals have exploited YouTube’s copyright claim system to blackmail content creators into disseminating the SilentCryptoMiner malware, according to security firm Kaspersky. By impersonating developers of legitimate software, these cybercriminals have threatened YouTubers with channel termination unless they include links to malicious files in their video descriptions. This tactic has led to thousands of infections, predominantly affecting users in Russia, in a sign of shifting methods from attackers.
Influential YouTubers Targeted
The attackers have targeted YouTubers who create tutorials on using Windows Packet Divert (WPD) tools, which are popular for bypassing internet restrictions in Russia. Posing as the original developers of these tools, the cybercriminals have filed bogus copyright claims against the creators’ videos. They have then contacted the creators, demanding that they replace legitimate download links with ones leading to malware-infected files, threatening channel bans under YouTube’s “three strikes” policy if they fail to comply.
One notable case involved a YouTube channel with 60,000 subscribers, where the creator uploaded videos containing links to a malicious archive hosted on a fraudulent website. These videos amassed over 400,000 views, and the malicious file was downloaded more than 40,000 times before the link was removed. According to Kaspersky’s analysis, this campaign has affected over 2,000 victims in Russia, though the actual number may be higher.
SilentCryptoMiner EMlpoys Evasion Techniques
The distributed malware, SilentCryptoMiner, is a variant of the XMRig cryptocurrency miner. It is capable of mining multiple cryptocurrencies, including Monero (XMR) and Raptoreum (RTM). The malware employs various evasion techniques, such as disabling security protections and injecting itself into legitimate system processes to avoid detection. It also monitors active processes and suspends mining activity when security-related programs are running.
This campaign highlights a concerning evolution in cybercriminal tactics, where attackers exploit the trust between content creators and their audiences to spread malware. Leonid Bezvershenko, a security researcher at Kaspersky, noted, “This tactic of coercing influencers shows how cybercriminals are evolving.” By leveraging social platforms and coercing influencers, attackers create large-scale infection opportunities, underscoring the need for heightened vigilance among both content creators and consumers.
To mitigate such threats, content creators are advised to verify the legitimacy of copyright claims and download links before sharing them with their audience. Users should exercise caution when downloading software from unverified sources and maintain updated security solutions to detect and prevent malware infections.