A self-spreading malware is said to be attacking gamers through YouTube videos. As reported by Kaspersky, this is due to an unusual malware package, consisting of malicious programs distributed as a single installation file, self-extracting archive or other file with functional installer type. Its main payload is the popular RedLine stealer – one of the most common types of Trojans used to steal passwords and logins from browsers. The report also states that the package is available on underground hacker forums for a small price.
According to Kaspersky report, malware packages cost only a few hundred dollars, which is a small price for malware. RedLine thieves can steal usernames, passwords, cookies, bank card details and autofill data from Chromium and Gecko-based browsers, data from cryptowallets, instant messengers and apps FTP/SSH/VPN client. In addition, RedLine can download and run third-party programs, execute commands, and open links in the default browser.
Along with the stealer, there are other files in the package that facilitate the self-propagation of the malware. In the process, YouTube channels are hacked and videos with malware are posted. These videos promote cheats and jailbreaks, and provide instructions on how to hack popular games and software, the report said.
Games where cheats and jailbreaks are mentioned in the video include APB Reloaded, CrossFire, DayZ, Dying Light 2, F1 22, Farming Simulator, Farthest Frontier, FIFA 22, Final Fantasy XIV, Forza, Lego Star Wars, Osu !, Point Blank, Project Zomboid, Rust, Sniper Elite, Spider-Man, Stray, Thymesia, VRChat and Walken. The report cites Google as saying that the hacked channels were quickly terminated for violating the company’s Community Guidelines.
Once accessed, the malicious package unpacks and runs three executables. The first is a RedLine thief, and the second is a miner. The report says the main target audience is gamers, who likely have a video card installed in their system. These tokens can be used for mining. The third executable ensures automatic startup and runs the first of the batch files. These batch files run three other malicious files, which are responsible for the package’s self-distribution.