A newly discovered malicious campaign distributing the RedLine Stealer infostealer comes with a very interesting self-propagation mechanism, researchers have found.
Kaspersky Cybersecurity Experts Discover New Malware (opens in new tab) who logs into compromised users’ YouTube accounts and uploads a video to their channel, which RedLine Infostealer distributes.
A victim, ideally a PC gamer, finds a YouTube video about cracks or cheats for one of their favorite games: FIFA, Final Fantasy, Forza Horizon, Lego Star Wars or Spider-Man. In the description of the video are links claiming to contain those cracks and cheats that actually host multiple bundled malware.
Cryptojackers, info stealers
Included in the bundle is RedLine Stealer, one of the most popular info stealers today, capable of stealing (opens in new tab) passwords stored in people’s browsers, cookies, credit card information, instant messaging conversations, and cryptocurrency wallets.
The bundle also includes a cryptojacker, essentially a cryptocurrency miner that uses the computing power of the compromised endpoint to mine certain cryptocurrency for the attackers. Cryptocurrency mining usually requires significant GPU power, which is something most gamers usually have.
But perhaps most interestingly, the bundle has three malicious executables, which are used for self-propagation. These are called “MakiseKurisu.exe”, “download.exe” and “upload.exe”. MakiseKurisu is an infostealer that grabs browser cookies and stores them locally.
Next, download.exe would extract the fake crack video from a GitHub repository and hand it over to upload.exe, which would upload it to the victim’s YouTube account, after using cookies to login.
If the victim is not an avid YouTube user, or if the notifications are turned off, there is a good chance that the malicious video will remain on their YouTube channel for a long time before it is deleted.
“If the video is uploaded to YouTube, upload.exe sends a message to Discord with a link to the uploaded video,” explains Kaspersky.
- Here’s our roundup of the best firewalls (opens in new tab) now available
Via: BleepingComputer (opens in new tab)