Hard-to-detect malware loader distributed via AI-generated YouTube videos

Security researchers warn of a new malware loader that’s used as part of the infection chain for the Aurora information stealer. The loader uses anti-virtual-machine (VM) and unusual compilation techniques that seem to make it quite successful at avoiding detection by security solutions.

The Aurora infostealer is written in Go and is operated as a malware-as-a-service platform that’s advertised on Russian-language cybercrime forums. It started gaining popularity among cybercriminals at the end of last year because it is modular and can also be used as a malware downloader to deploy additional payloads in addition to its core functionality of stealing data and credentials from multiple web browsers, cryptocurrency wallets, and local applications.

Aurora infostealer distributed in YouTube videos

Cybercriminals distribute Aurora in multiple ways, but a recent trend has been to post AI-generated videos in the form of tutorials for installing cracked software and game hacks. This is a more general distribution trend for multiple infostealer programs and usually involves hacking into existing YouTube accounts and publishing a batch of five or six rogue videos immediately. The YouTube accounts are taken over using credentials from older data breachers or collected by the infostealer programs themselves. The videos are generated using specialized AI-based video platforms like D-ID or Synthesia and involve human personas going through a script and telling users to download the software from the link in the description. The attackers also use search engine optimization (SEO) techniques by adding a lot of tags to the videos to make them reach a wider audience.

Researchers from security firm Morphisec recently investigated several such YouTube campaigns that led to Aurora infections. However, the first step in the infection chain was a new malware loader they dubbed “in2al5d p3in4er,” after a string that’s used as a decryption key in its code.

The p3in4er loader is the executable that users are offered to download from the websites posted in the rogue descriptions of the YouTube tutorial videos. These websites were generated with a service that can create clones of legitimate websites, using all the branding elements and application logos and icons to make them more credible.

Malware loader able to detect virtual machines

P3in4er has an unusually low detection rate on VirusTotal and is especially good at evading solutions that execute files in virtual machines or sandboxes to observe their behavior. That’s because the malicious executable uses the CreateDXGIFactory function of the dxgi.dll library to extract the vendor ID of the graphics card that exists on the system. The code then checks if these vendor IDs match Nvidia, AMD or Intel and if they don’t, the code stops executing. In other words, this is essentially a way to check if the system has a physical graphics card or not, because virtual machines and sandboxes typically don’t.

If the check passes, the malware will use a process hollowing technique to inject malicious code chunks into sihost.exe (Microsoft’s Shell Infrastructure Host), the Morphisec researchers said. “During the injection process, all loader samples resolve the necessary Win APIs dynamically and decrypt these names using a XOR key: in2al5d p3in4er (invalid printer).”

Finally, another unusual characteristic of this loader is that it was generated using Embarcadero RAD Studio, an integrated development environment for writing native cross-platform applications. The various samples showed that the creators are experimenting with compiling options from RAD Studio.

“Those with the lowest detection rate on VirusTotal are compiled using ‘BCC64.exe,’ a new Clang based C++ compiler from Embarcadero,” the researchers said. “This compiler uses a different code base such as ‘Standard Library’ (Dinkumware) and ‘Runtime Library’ (compiler-rt) and generates optimized code which changes the entry point and execution flow. This breaks security vendors’ indicators, such as signatures composed from malicious/suspicious code block.”

The Morphisec report contains file hashes and other indicators of compromise. Even though this loader currently has a low detection rate, the first defense against such attacks is not falling for the social engineering tricks in the first place. Companies should train employees on how to spot unusual URLs or fake websites and, of course, to never download cracked software or game hacks on their computers in the first place, even if they use a personal computer for work.