Users Feel Guilty: Measurement of Illegal Software Installation Guide Videos on YouTube for Malware Distribution
Rei Yamagishi, Shota Fujii, Tatsuya Mori
TL;DR
This work addresses the emerging MalTube threat, a malware distribution technique delivered via YouTube videos that promise illegal software or game cheats. It introduces VIPER, a dedicated monitoring framework that collected and analyzed 14,363 MalTube videos, 8,671 channels, and 1,269 FQDNs over four months to map the attack ecosystem. The study reveals that attackers primarily target young gamers, use multilingual SEO, and exploit channel hijacking and intermediate sites to disseminate malware, with sophisticated thumbnail and description strategies to maximize engagement. The findings inform robust countermeasures, including video and infrastructure detection, user education, and platform-assisted interventions, underscoring the need for cross-stakeholder collaboration to disrupt MalTube infrastructure and reduce risk to vulnerable populations.
Abstract
This study introduces and examines a sophisticated malware distribution technique that exploits popular video sharing platforms. In this attack, threat actors distribute malware through deceptive content that promises free versions of premium software and game cheats. Throughout this paper, we call this attack MalTube. MalTube is particularly insidious because it exploits the guilt feelings of users for engaging in potentially illegal activity, making them less likely to report the infection or ask for a help. To investigate this emerging threat, we developed video platform exploitation reconnaissance VIPER, a novel monitoring system designed to detect, monitor, and analyze MalTube activity at scale. Over a four-month data collection period, VIPER processed and analyzed 14,363 videos, 8,671 associated channels, and 1,269 unique fully qualified domain names associated with malware downloads. Our findings reveal that MalTube attackers primarily target young gamers, using the lure of free software and game cheats as infection vectors. The attackers employ various sophisticated social engineering techniques to maximize user engagement and ensure successful malware propagation. These techniques include the strategic use of platform-specific features such as trending keywords, emoticons, and eye-catching thumbnails. These tactics closely mimic legitimate content creation strategies while providing detailed instructions for malware infection. Based on our in-depth analysis, we propose a set of robust detection and mitigation strategies that exploit the invariant characteristics of MalTube videos, offering the potential for automated threat detection and prevention.