The malware scans your chat logs, steals your browser extension and login information, and targets Zcash and Ethereum wallets in addition to Electrum, Atomic Wallet, and Coinomi.
A new type of cryptocurrency malware is spreading through YouTube, luring users into downloading programmes that are intended to steal data from 30 different cryptocurrency wallets and browser extensions.
The spyware known as "PennyWise"—likely named after the creature in Stephen King's horror novel "It"—had been tracked since May, according to a blog post by cyber intelligence firm Cyble.
Chromium and Mozilla browser data, including login information and Bitcoin extension data, were stolen from the victim's PC. Chat programmes like Discord and Telegram can also be used to steal sessions and take screenshots.
According to Cyble, the malware also targets cold crypto-wallets that support Zcash and Ethereum by scanning the directory for wallet files and transmitting copies of those files to the attackers. These wallets include Armory, Bytecoin, Jaxx, Exodus, Electrum, Atomic Wallet, Guarda, and Coinomi.
The cybersecurity firm warned that YouTube mining tutorial videos posing as free Bitcoin mining software are where the infection is being propagated.
The "Threat Actors," or online criminals, produce movies in which they direct viewers to click the link in the description and download the free software while simultaneously enticing them to turn off their antivirus programmes, which makes it possible for the malware to operate successfully.
As of June 30, according to Cyble, the attacker had up to 80 videos on their YouTube channel; however, the detected channel has since been deleted.
Similar links to the malware were identified on other, smaller YouTube channels, where videos advertised free NFT-mining, paid software cracks, free Spotify premium, and game mods and hacks. A lot of these accounts were only made in the last 24 hours.
A curious feature of the malware is that it is programmed to terminate itself if it determines that the victim is located in Russia, Ukraine, Belarus, or Kazakhstan. Additionally, Cyble discovered that when the malware sends the victim's stolen timezone data back to the attackers, it transforms it to Russian Standard Time (RST).
Malware known as Mars Stealer was discovered to target cryptocurrency wallets including MetaMask, Binance Chain Wallet, and Coinbase Wallet that function as Chromium browser extensions in February.
Even "low-skilled" cybercriminals are increasingly deploying malware to steal money from cryptocurrency hodlers, according to a January warning from Chainalysis. Cryptojacking accounted for 73% of the total value acquired by malware-related addresses between 2017 and 2021.
