Researchers have tracked a hacking campaign that is spreading the Aurora malware through YouTube videos.
The malware is an information stealer written in the GO programming language.
- Clicking the links in these YouTube video descriptions redirects the victim to false websites.
- The malware is designed to query the vendor ID of the graphics card installed on a system and compare it against a set of listed vendors, such as :
- If the value doesn't match, the loader terminates itself.
- The loader ultimately decrypts the final payload and injects it into a legitimate process called "sihost.exe" using a technique called process hollowing.
- The threat actors behind the campaign, tracked as in2al5d p3in4er, are using social hacking to continue redirecting new waves of users onto the false websites.
