- Some YouTube channels with malicious intent trick people into downloading PennyWise malware.
- It comes in a password-protected .zip file and a link to a deceptive VirusTotal page.
- Steals all kinds of data from system information, login credentials, crypto wallets, and crypto-browser extensions, and removes all the possible traces.
The dark web and cybercrime monitoring company, Cyble, published a blog post informing that it had found a new malware named PennyWise, likely taken after the name of the monster in Stephen King’s horror novel It. The malware steals system information, login credentials, crypto wallets, and crypto-browser extensions, and then self-destructs.
It disguises itself as free Bitcoin mining software
According to Cyble, PennyWise was developed recently. It disguises itself as free Bitcoin mining software. Its creators publish videos on YouTube with links to download the malware. The downloading link is found in the video description. When a user clicks on the link, it starts downloading the malware hosted on a hosting service.
The malware file is zipped and password protected. The attackers also include a VirusTotal link of a clean file not related to the file available for download. Those steps are taken to make the file look legitimate. There is another trick of the PennyWise malware, which is to get the users into disabling their malware protection if any problems occur while executing the malware. So far, there are over 80 videos on their YouTube channel for spreading the malware.
The malware steals data from Chromium and Mozilla-based browsers. It also steals Discord tokens and Telegram sessions and takes screenshots on the way. Mainly it targets cold crypto-wallets such as Zcash, Armory, Bytecoin, Jaxx, Exodus, Ethereum, Electreum, Atomic Wallet, Guarda, and Coinomi.
The malware also aims at crypto extensions of Chromium-based browsers for looting data. More interestingly, the malware tries to detect the victim’s location by using the CultureInfo class and ends its operation if the victim is based outside the following countries; Russia, Ukraine, Belarus, and Kazakhstan. Once data is stolen from the victim’s machine, it compresses the data in a folder. Then it deletes the folder and removes all the traces.