Self-Spreading Malware Targets Gamers via YouTube

By Ava McKinneyOnline Safety

Self-Spreading Malware Targets Gamers via YouTube

Experts at Kaspersky Lab have discovered an unusual malware campaign on YouTube. Disguised as gaming content, cybercriminals are distributing a bundle of malicious files, with the main payload being the RedLine infostealer.

How the Attack Works

Researchers report that hackers upload videos to YouTube featuring descriptions of cheats, cracks, and hacking instructions for various games or software. These videos are posted on already existing, compromised channels (without the owners’ knowledge). The video descriptions contain a link to a password-protected RAR archive. Once downloaded, the archive begins to self-extract immediately.

Targeted Games and Bait

To attract gamers, the attackers use videos about popular games such as APB Reloaded, CrossFire, DayZ, Dying Light 2, F1® 22, Farming Simulator, Farthest Frontier, FIFA 22, Final Fantasy XIV, Forza, Lego Star Wars, Osu!, Point Blank, Project Zomboid, Rust, Sniper Elite, Spider-Man, Stray, Thymesia, VRChat, and Walken.

What’s Inside the Malicious Bundle?

The RAR archive contains several malicious files, legitimate utility tools, and a script for automatically launching the extracted contents. The main payload is the RedLine infostealer—a powerful malware designed to steal information. RedLine can steal logins, passwords, cookies, credit card data, and autofill information from browsers based on Chromium and Gecko engines, as well as data from cryptocurrency wallets, messengers, and FTP/SSH/VPN clients. It can also search for files with specific extensions on the device.

Additionally, RedLine can download third-party programs, execute commands in cmd.exe, and open links in the default browser.

Cryptominer and Self-Propagation

Another component of the malicious archive is a cryptominer. Attackers are interested not only in gaming account data but also in the resources of gaming PCs—especially powerful graphics cards that can be used for mining.

However, experts note that the real danger lies not only in RedLine and the miner, but also in the bundle’s ability to self-propagate. A third executable from the RAR archive copies itself to %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup to ensure it runs at startup, and then launches the first of several BATCH files.

The BATCH files, in turn, launch three other malicious files: MakiseKurisu.exe, download.exe, and upload.exe. These files are responsible for the bundle’s self-spreading capabilities. One of the BATCH files also launches nir.exe, a utility that allows the malicious executables to run without displaying windows or icons on the taskbar.

Technical Details

  • download.exe is a hefty 35 MB loader whose purpose is to download videos for uploading to YouTube, as well as text files with descriptions and links to the malicious archive. Its size is due to being a NodeJS interpreter bundled with the main application scripts and dependencies.
  • The malware retrieves download links from a GitHub repository. In recent versions, it downloads a 7zip archive containing videos and descriptions organized into folders. Extraction is handled by a console version of 7z, also included in the bundle.
  • MakiseKurisu.exe is a password-stealing program written in C# and modified for the malware authors’ needs. It appears to be based on open-source code from GitHub, containing many standard stealer functions (such as debugger checks, virtual environment detection, system info exfiltration, and password theft), though most are unused. Currently, its only active function is extracting cookies from browsers and saving them to a file—these cookies are then used to access the victim’s YouTube account and upload videos.
  • upload.exe is responsible for uploading the videos downloaded by download.exe to YouTube. Also written in NodeJS, it uses the Puppeteer library to control Chrome and Microsoft Edge browsers via the DevTools protocol. After successfully uploading a video, upload.exe sends a message to the operators on Discord with a link to the new video.

Conclusion

Researchers conclude that this self-spreading bundle with the RedLine infostealer is a vivid example of how cybercriminals lure victims with ads for cracks, cheats, and hacking instructions for games. The self-propagation functionality is implemented using relatively simple software, such as a customized open-source stealer.

Leave a Reply