Cyble Research and Intelligence Labs (CRIL) has spotted a new type of YouTube bot malware that can steal sensitive information from web users and act as a bot that receives commands from the C&C server.

The malicious software has been installed on around 100,000 computers which is more than what previously believed. The latest find also indicates that the cybercriminals behind SamSam create a botnet for a specific purpose and then sell this botnet on to other cybercriminals.

The malware is called the ‘Gh0st Bot’. The cybercriminals behind Gh0st Bot use the “bot” name to hide their identity as well as to spread their malicious activities across various platforms by using a variety of techniques, including the use of command and control (C&C) servers. The bot loads malicious software from the C&C server which in turn saves the downloaded file on a local drive.

“Unlike most other malware which reside within the system and have limited access to information that is not supposed to be accessed by them, Gh0st Bot resides in USB drives and holds all types of information such as passwords and credit card information."

When the Gh0st Bot gains access to a computer, it creates an account and installs itself into the computer’s registry key so that it cannot be removed by traditional methods. After gaining access to a computer, the bot then connects to the man-in-the-middle attack server. The server can then use other techniques such as changing payloads with Gh0st Bot.

The malware is evolving and starting to make use of exploits in order to bypass security systems, CRIL writes in a post on its website: “Gh0st Bot has evolved its techniques since their initial spread via YouTube ads."

‍

Source: New YouTube Bot Malware Spotted Stealing User’s Sensitive Information - AlienVault - Open Threat Exchange