A new malware bundle uses victims’ YouTube channels to upload malicious video tutorials advertising fake cheats and cracks for popular video games to spread the malicious package further.
The self-spreading malware bundle has been promoted in YouTube videos targeting fans playing FIFA, Final Fantasy, Forza Horizon, Lego Star Wars, and Spider-Man.
These uploaded videos contain links to download the fake cracks and cheats, but in reality, they install the same self-spreading malware bundle that infected the uploader.
A malware cocktail
In a new report, researchers found a RAR archive containing a collection of malware, most notably RedLine, currently one of the most massively distributed information stealers.
RedLine can steal information stored in the victim’s web browser, such as cookies, account passwords, and credit cards, access instant messenger conversations, and compromise cryptocurrency wallets. Additionally, the RAR archive contains a miner that mines cryptocurrency for the attackers, leveraging a graphics card that the victim probably has as they watch gaming videos on YouTube.
Thanks to the regular Nirsoft NirCmd utility contained in a package called “nir.exe”, all executables are hidden at startup and the user his interface his window and system his tray his icon created. everything is hidden from the victim.
The bundled infection and executable are not particularly interesting by themselves and are often used by attackers in other malware distribution campaigns.
Self-propagating RedLine via YouTube
However, there has been discovered an unusual and intriguing self-propagation mechanism hidden in archives that allows the malware to spread to other victims on the Internet.
Specifically, the RAR has a batch file that runs his three malicious executables: ‘MakiseKurisu.exe’, ‘download.exe’ and ‘upload.exe’ that perform self-propagation of packages. It contains. The first, MakiseKurisu, is a modified version of a widely used C# password stealer that is only used to extract cookies from browsers and store them locally.
A second executable, ‘download.exe’, is used to download a video from YouTube, which is a copy of a video promoting a malicious package.
The video is downloaded using a link pulled from the GitHub repository to avoid pointing to a video URL that has been reported and removed by YouTube.
Finally, it uses “upload.exe” to upload a video promoting the malware to YouTube, uses the stolen cookies to log into the victim’s girlfriend’s YouTube account, and distributes the bundle through the channel.
“[upload.exe] uses the Puppeteer Node library, which provides a high-level API to manage Chrome and Microsoft Edge using the DevTools protocol,” says the report.
“Upon successfully uploading a video to YouTube, upload.exe will send a message to his Discord containing a link to the uploaded video.”
Attackers are notified of new uploads, but channel owners are unlikely to notice that they are promoting malware on YouTube unless they are very active on the platform.
Videos demonstrating malicious downloads are uploaded from accounts that are likely to be clean for a long time, so this aggressive propagation method makes YouTube even more difficult to verify and remove.