Windows Activator Bundles Banker in Youtube Description (Oct 2, 2019)
Attackers spreading a banking trojan, “Casbanerio”, are using YouTube video descriptions in an attempt to hide Command and Control (C2) addresses. Casbanerio is distributed through ReLoader, a tool used to illegally activate Windows and Microsoft Office, with prevalence in Latin America. Other methods used to conceal C2 addresses for Casbanerio is embedding the address in a Google Docs file amongst random text and encoded in hexadecimal. Using Youtube enables the address to be disguised as it raises no flags due to being regular traffic. The malware is then able to steal banking information, and cryptocurrency, along with distributing other malware.
Recommendation: Users should not be downloading ReLoader as it is an illegal product, and also should be avoided due to the risk of malicious software. Users should also exercise caution when downloading applications of the internet, as ReLoader does activate Windows and perform as expected, however unaware to the user it is also installing malware. Always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe).
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.