A self-spreading malware is said to be attacking gamers via YouTube videos. As per a report by Kaspersky, this is caused by an unusual malicious bundle, which includes malicious programs distributed in the form of a single installation file, self-extracting archive or other file with installer-type functionality. Its main payload is the widespread RedLine stealer — one of the most common Trojans used to steal passwords and credentials from browsers. The report also says that the bundle is available on underground hacker forums for a small price tag.
According to the Kaspersky report, the malicious bundle is merely a few hundred dollars, which is a small price tag for malware. The RedLine stealer can steal usernames, passwords, cookies, bank card details, and autofill data from Chromium- and Gecko-based browsers, data from cryptowallets, instant messengers, and FTP/SSH/VPN clients. In addition, RedLine can download and run third-party programs, execute commands, and open links in the default browser.
Alongside the stealer, there are other files in the bundle that facilitate self-propagation of the malware. In the process, the YouTube channels are hacked and videos with malware are posted. “These videos advertise cheats and cracks and provide instructions on hacking popular games and software,” the report said.
The games for which cheats and cracks are mentioned in the videos include APB Reloaded, CrossFire, DayZ, Dying Light 2, F1 22, Farming Simulator, Farthest Frontier, FIFA 22, Final Fantasy XIV, Forza, Lego Star Wars, Osu!, Point Blank, Project Zomboid, Rust, Sniper Elite, Spider-Man, Stray, Thymesia, VRChat, and Walken. The report cited Google as saying that the hacked channels were quickly terminated for violation of the company’s Community Guidelines.
Once accessed, the malicious bundle unpacks and runs three executable files. The first is the RedLine stealer, and the second is a miner. The report says that the main target audience is gamers who are likely to have video cards installed in their systems. These cards can be used for mining. The third executable file ensures automatic startup and runs the first of the batch files. These batch files run three other malicious files, which are responsible for the bundle’s self-distribution.