PennyWise crypto-stealing malware spreads via YouTube

The malware targets Zcash and Ethereum wallets alongside Electrum, Atomic Wallet and Coinomi, it takes your browser extension and login data and reads your chat logs.

A new strain of crypto-malware is spreading via YouTube, tricking users into downloading software designed to steal data from 30 crypto wallets and crypto browser extensions.

Cyber-intelligence firm Cyble, in a June 30 blog post, said it was tracking malware known as PennyWise, likely named after the monster from the horror novel It by Stephen King, since his first identification in May.

“Our investigation indicates that the rogue is an emerging threat,” Cyble wrote in a blog post on June 30:

"In its current version, this thief can target more than 30 cryptocurrency browsers and applications such as crypto cold wallets, crypto browser extensions, etc."

The data stolen from the victim's system comes in the form of Chromium and Mozilla browser information, including cryptocurrency extension data and login data. It can also take screenshots and steal sessions of chat apps such as Discord and Telegram.

The malware also targets cold crypto wallets such as Armory, Bytecoin, Jaxx, Exodus, Electrum, Atomic Wallet, Guarda, and Coinomi, as well as wallets supporting Zcash (ZEC) and Ether (ETH) by scanning for wallet files in the directory and sending a copy of the files to the attackers, according to Cyble.

The cybersecurity firm noted that the malware is spreading on YouTube mining education videos claiming to be free Bitcoin mining software.

Cybercriminals, or "Threat Actors", upload videos asking viewers to visit the link in the description and download the freeware while also encouraging them to disable their anti-virus software which allows the malware to run with success.

Cyble said the striker had up to 80 videos on his YouTube channel as of June 30. However, the identified channel has since been deleted.

A search by Cointelegraph found similar links to the malw...