A recently discovered malicious campaign that distributes the RedLine Stealer information stealer comes with a very interesting self-propagation mechanism, researchers have discovered.
Kaspersky cybersecurity experts have discovered new malware (opens in a new tab) that connects to compromised users' YouTube accounts and uploads a video to their channel, which is distributed by RedLine Infostealer.
A victim, ideally a PC gamer, finds a YouTube video about cracks or cheats for one of their favorite games: FIFA, Final Fantasy, Forza Horizon, Lego Star Wars, or Spider-Man. In the video description there are links that claim to contain these cracks and cheats which, in fact, host various malware packages.
Cryptojackers, information thieves
The package includes RedLine Stealer, one of today's most popular data thieves capable of stealing (opens in a new tab) passwords stored in users' browsers, cookies, credit cards, IM conversations and wallets. cryptocurrencies.
The package also contains a cryptojacker, basically a cryptocurrency miner that uses the computing power of the compromised endpoint to mine certain cryptocurrencies for the attackers. Cryptocurrency mining generally requires significant GPU power, which most gamers tend to have.
But perhaps most interesting is that the package contains three malicious executables, used for self-propagation. These are called "MakiseKurisu.exe", "download.exe" and "upload.exe". MakiseKurisu is an information stealer that captures browser cookies and stores them locally.
Download.exe would then fetch the fake crack video from a GitHub repository and send it to upload.exe, which would upload it to the victim's YouTube account, after using cookies to log in.
If the victim is not an avid YouTuber or has notifications turned off, the malicious video is likely to remain on their YouTube channel for a long time before being removed.
"When the video is successfully uploaded to YouTube, upload.exe sends a message to Discord with a link to the uploaded video," Kaspersky explains.
- This is our roundup of the best firewalls (opens in a new tab) available now
Via: BleepingComputer (Opens in a new tab)