YouTube Proxyjacking Campaign Exploits Fake Video Download Sites
Cybercriminals have intensified their proxyjacking campaigns by targeting users of YouTube video download services, according to recent security research.
This attack exploits fake YouTube-to-MP4 conversion websites to distribute proxyware malware, focusing on users seeking free online video conversion tools.
The campaign reflects a major evolution in bandwidth theft attacks, where threat actors profit from stolen network resources on infected systems without users’ knowledge or consent.
How the Attack Works
The malicious operation revolves around deceptive websites that imitate legitimate YouTube video download platforms.
When users click the “Download Now” button, they are redirected to advertising pages prompting the installation of malicious executables.
By exploiting trust in apparently legitimate download functionality, this campaign effectively targets unsuspecting victims seeking free online services.
ASEC analysts linked the current campaign to threat actors previously involved in DigitalPulse proxyware distribution, indicating a deliberate expansion of their operations.
Geographic Scope and Impact
Research has identified multiple infections across South Korea, suggesting a geographically focused and persistent campaign.
Globally, the attack has compromised an estimated 400,000 Windows systems, generating substantial revenue for cybercriminals through unauthorized bandwidth usage.
Unlike cryptojacking, which hijacks computing power for cryptocurrency mining, this variant monetizes network bandwidth, providing a continuous income stream from infected systems.
The financial incentive drives ongoing evolution and geographic expansion of the attack.
Infection Chain and Persistence Mechanisms
The malware follows a multi-stage infection process to evade detection while ensuring persistent access to the system.
- The malicious installer masquerades as QuickScreenRecorder.exe but immediately runs PowerShell scripts for payload delivery.
- Initial droppers perform environment checks, scanning for sandbox or virtual machine environments before continuing the infection.
Task Scheduler for Persistence
The malware registers a scheduled task under the name “Defrag DiskCleanup”, mimicking legitimate system maintenance tasks:
Task Name: Defrag DiskCleanup
Executable: "C:\Program Files\nodejs\node.exe"
Arguments: "C:\f888a3fc-f6dd-427d-8667-b81ea3946b76-90.5.44709.2197\c8c4ffcf-4b46-432f-b1d4-3383bf3fecf6.js" 9762
This scheduled task runs malicious JavaScript via NodeJS, establishing communication with command-and-control servers to fetch additional payloads.
For the Honeygain variant, the malware uses FastCleanPlus.exe as a launcher, calling the hgsdk_start() function within hgsdk.dll via the attacker’s API credentials, showcasing the campaign’s technical sophistication and adaptability across multiple proxyware platforms.
Conclusion
This YouTube proxyjacking campaign highlights the growing threat of bandwidth theft malware. Users should be cautious when downloading free video conversion tools, verify websites carefully, and maintain updated endpoint security to prevent infection.
