You won’t believe your eyes! I just stumbled upon an incredible tool called SharpCovertTube that allows you to control Windows systems remotely by uploading videos to YouTube. Yes, I swear, it’s not a joke!
Essentially, the program continuously monitors a YouTube channel until a new video is uploaded. Then, brace yourself, it decodes a QR code hidden in the video’s thumbnail and executes the command concealed within it. Frankly, the developers behind this are evil geniuses! This project is actually a port of another really cool project made in Python in 2021 called Covert-Tube.
The craziest part is that QR codes in videos can contain plaintext or even AES-encrypted values. Needless to say, this raises significant security concerns. Moreover, there are two versions of the program: a classic binary and a binary that installs as a service. They’ve really thought of everything.
Oh yes, I forgot to mention, there’s even a Python script included to generate these booby-trapped videos. Essentially, this tool is a persistence method that uses web requests to the Google API. It’s a highly cunning technique!
Let me explain a bit about how it works. First, you need to launch the listener on your Windows system. It checks the YouTube channel every 10 minutes by default until a new video is uploaded.
And guess what? As soon as it detects a new video on the channel, it immediately decodes the QR code hidden in the thumbnail, executes the command, and voilà: the response is encoded in base64 and then exfiltrated via a DNS query. Seriously, it’s a brilliant exfiltration method!
It also works with QR codes that contain payloads.
Of course, a few configurations are necessary to make it work perfectly. First, you must enter your YouTube channel ID and API key in a configuration file. This is mandatory; otherwise, you might as well forget about it. If you want to use AES encryption for your QR codes, you also need to provide a key and an IV (Initialization Vector), but that’s optional—we don’t need to be overly cautious.
Another handy detail: you can choose the delay in seconds between each check for a new video on the channel. By default, it’s 10 minutes, but don’t push it too much, or you’ll quickly get overwhelmed by the API because of the number of requests.
Many other small settings can be configured, such as logging to a file, DNS exfiltration, hostname for exfiltration, etc. In short, it’s robust and well-designed. And even if you have admin rights, you can install a “service” version for greater discretion. Kudos to the developers!
The only limitation is that the binary has to be 64-bit because of the code used to decode the QR codes. But hey, we’re not going to quibble—it’s still a mega impressive tool.
In conclusion, I hope this article has piqued your interest in giving it a try! Personally, I find these kinds of borderline projects fascinating. Obviously, don’t use this kind of tool for malicious purposes, okay? But admit it, from a technological and creativity standpoint, it’s extremely cool!
Have a great day, and next time, try to take a closer look at the thumbnails of YouTube videos—you never know what you’re going to find!