Botnet servers hidden in description of YouTube channels
Cyber criminals use the description of YouTube channels to hide their botnet servers, researchers at Cisco have discovered. A new variant of the Astaroth malware uses the description of certain YouTube channels to find botnet servers that control infected systems. This should prevent detection, the researchers said.
Astaroth was developed to steal data for internet banking. The latest version focuses only on Brazilian internet users. The attack begins with an email claiming, for example, that the recipient still has to pay an invoice. The attackers also send emails that appear to come from the Brazilian Ministry of Health and about the corona virus.
The messages contain a link to a zip file. This zip file contains another lnk file. When the user opens the lnk file, the Astaroth malware is installed on the system. Like other malware, Astaroth developers try to communicate with infected systems to provide updates, for example. For this, the infected systems must first know the location of the botnet servers.
In the case of Astaroth, the description of YouTube channels is used for this, which is a new method, according to the researchers at Cisco. The description of the YouTube channels contains an encrypted and base64 encrypted list of domains to which the infected computer must connect. According to the researchers, the criminals try to hide their command and control infrastructure in this way. In case communication with the YouTube channel fails, the malware uses a hard-coded url as backup to point to a botnet server.
Source: https://www.security.nl/posting/656591/Botnetservers+verborgen+in+omschrijving+van+YouTube-kanalen
