Users Feel Guilty: Measurement of Illegal Software Installation Guide Videos on YouTube for Malware Distribution

TL;DR

This paper investigates MalTube, a malware distribution method on YouTube exploiting user guilt, and introduces VIPER, a system for detecting and analyzing such malicious videos at scale.

Contribution

The study presents VIPER, a novel monitoring system for large-scale detection of MalTube videos, and provides insights into attacker tactics and targeted demographics.

Findings

MalTube primarily targets young gamers with fake software and cheat videos.

Attackers use social engineering tactics like trending keywords and eye-catching thumbnails.

Proposed detection strategies can potentially automate MalTube threat identification.

Abstract

This study introduces and examines a sophisticated malware distribution technique that exploits popular video sharing platforms. In this attack, threat actors distribute malware through deceptive content that promises free versions of premium software and game cheats. Throughout this paper, we call this attack MalTube. MalTube is particularly insidious because it exploits the guilt feelings of users for engaging in potentially illegal activity, making them less likely to report the infection or ask for a help. To investigate this emerging threat, we developed video platform exploitation reconnaissance VIPER, a novel monitoring system designed to detect, monitor, and analyze MalTube activity at scale. Over a four-month data collection period, VIPER processed and analyzed 14,363 videos, 8,671 associated channels, and 1,269 unique fully qualified domain names associated with malware downloads. Our findings reveal that MalTube attackers primarily target young gamers, using the lure of free software and game cheats as infection vectors. The attackers employ various sophisticated social engineering techniques to maximize user engagement and ensure successful malware propagation. These techniques include the strategic use of platform-specific features such as trending keywords, emoticons, and eye-catching thumbnails. These tactics closely mimic legitimate content creation strategies while providing detailed instructions for malware infection. Based on our in-depth analysis, we propose a set of robust detection and mitigation strategies that exploit the invariant characteristics of MalTube videos, offering the potential for automated threat detection and prevention.