A crypto malware dubbed PennyWise is being spread through YouTube, tricking users to download software that’s designed to steal data from 30 crypto wallets and crypto-browser extensions.
Cyble which is cyber Intelligence Company said it had been tracking the malware likely named after the monster in Stephen King’s horror novel IT.
Data stolen from the victim’s system comes in the form of Chromium and Mozilla browser information, including cryptocurrency extension data and login data. It can also take screenshots and steal sessions of chat applications such as Discord and Telegram.
The malware also targets cold crypto-wallets such as Armory, Bytecoin, Jaxx, Exodus, Electrum, Atomic Wallet, Guarda, and Coinomi, as well as wallets supporting Zcash and Ethereum by looking for wallet files in the directory and sending a copy of the files to attackers, according to Cyble. The cyber security company noted that the malware is being spread on YouTube mining education videos purporting to be free Bitcoin mining software.
Cyble stated that the attacker had as many as 80 videos on their YouTube channel as of June 30 however, the channel identified has since been removed.
Interestingly, the malware is designed to stop itself if it finds out the victim is based in Russia, Ukraine, Belarus, and Kazakhstan. Cyble also found that the malware converts the victim’s stolen timezone data to Russian Standard Time when the data is sent back to the attackers.
