AI-generated YouTube videos used to distribute difficult-to-detect malware loader

A new malware loader has been discovered by security researchers that is being used as part of the infection chain for the Aurora information stealer.

The loader is successful at avoiding detection by security solutions due to its anti-virtual-machine (VM) and unusual compilation techniques. The Aurora infostealer is a modular malware-as-a-service platform that can be used as a downloader to deploy additional payloads as well as stealing data and credentials from web browsers, cryptocurrency wallets, and local applications. Cybercriminals distribute Aurora in multiple ways, and a recent trend has been to post AI-generated videos in the form of tutorials for installing cracked software and game hacks on YouTube.

The new malware loader, named “in2al5d p3in4er,” is the executable that users download from the rogue websites posted in the descriptions of the YouTube tutorial videos. The loader has an unusually low detection rate on VirusTotal and is especially good at evading solutions that execute files in virtual machines or sandboxes to observe their behavior. This is because the code checks if the system has a physical graphics card or not, as virtual machines and sandboxes typically don’t.

The loader was generated using Embarcadero RAD Studio, an integrated development environment for writing native cross-platform applications. The creators are experimenting with compiling options from RAD Studio, which generates optimized code that changes the entry point and execution flow, breaking security vendors’ indicators.

The first defence against such attacks is not falling for social engineering tricks in the first place. Companies should train employees on how to spot unusual URLs or fake websites and avoid downloading cracked software or game hacks on their computers, even if they use a personal computer for work.

The Morphisec report contains file hashes and other indicators of compromise.