Malware Spreading on YouTube Videos Featuring Videogame Tutorials
Industry: Civil Society | Level: Tactical | Source: Kaspersky
Videogamers seeking guidance on a new game, or an unbeatable level could encounter an even bigger headache. Researchers from Kaspersky have discovered malicious bundles hosted on short YouTube videogame videos masquerading as gaming cracks and cheats, but actually containing information-stealing malware RedLine. The threat actors behind the campaign have utilized popular videogame titles such as Farming Simulator, FIFA 22, Final Fantasy XIV, Forza, Lego Star Wars, Spider-Man, and more to draw viewers. Typically, the malicious download link is posted below the video title in the description with instructions to download, unzip and install for the viewer. The RAR archive contains the RedLine malware along with several malicious executables and script files. The executable files provide capabilities for persistence on the host, allow the bundle to self-distribute, and a utility to enable the executable files to run without windows or icons to be visible to the user. Additionally, a miner is included as the targeted audience features users with possible high-performance computer setups. RedLine is capable of stealing critical user information including browser cookies, credentials, credit card numbers, instant messenger conversations and can compromise cryptocurrency wallets. Cookies containing the user's YouTube account credentials are leveraged by the malware bundle in its self-propagation features to upload a YouTube of the same style leading to infection onto the victim's YouTube channel. Threat actors are notified of a new YouTube video upload through a Discord link that is sent by the malware.
- Malicious Archive Runs Payloads Leading to Persistence or C2
Anvilogic Use Cases:
- Compressed File Execution
- Executable Create Script Process
- Executable Process from Suspicious Folder