youtube

A new malware bundle uses victims' YouTube channels to upload malicious video tutorials advertising fake cheats and cracks for popular video games to spread the malicious package further.

The self-spreading malware bundle has been promoted in YouTube videos targeting fans playing FIFA, Final Fantasy, Forza Horizon, Lego Star Wars, and Spider-Man.

These uploaded videos contain links to download the fake cracks and cheats, but in reality, they install the same self-spreading malware bundle that infected the uploader.

A malware cocktail

In a new report by Kaspersky, researchers found a RAR archive containing a collection of malware, most notably RedLine, currently one of the most massively distributed information stealers.

RedLine can steal information stored in the victim’s web browser, such as cookies, account passwords, and credit cards, access instant messenger conversations, and compromise cryptocurrency wallets.

Additionally, a miner is included in the RAR archive, taking advantage of the graphics card of the victim, which they are very likely to have since they’re watching gaming videos on YouTube, to mine cryptocurrency for the attackers.

Thanks to the legitimate Nirsoft NirCmd utility in the bundle, named "nir.exe," when launched, all executables will be hidden and not generate windows in the interface or any taskbar icons, so everything remains hidden from the victim.

The bundled infections and executables by themselves are not particularly interesting and are commonly used by threat actors in other malware distribution campaigns.

Self-propagating RedLine over YouTube

However, Kaspersky discovered an unusual and interesting self-propagation mechanism hiding in the archive that allows the malware to self-propagate to other victims on the Internet.

Specifically, the RAR contains batch files that run three malicious executables, namely “MakiseKurisu.exe”, “download.exe”, and “upload.exe”, which perform the bundle’s self-propagation.

Files contained in the RAR
Files contained in the RAR (Kaspersky)

The first one, MakiseKurisu, is a modified version of a widely available C# password stealer, used solely to extract cookies from browsers and store them locally.

The second executable, “download.exe”, is used for downloading a video from YouTube, which is a copy of the videos promoting the malicious bundle.

The videos are downloaded from links fetched from a GitHub repository to avoid pointing to video URLs that were reported and removed from YouTube.

YouTube videos promoting the malware bundle
YouTube videos promoting the malware bundle (Kaspersky)

Finally, “upload.exe” is used for uploading the malware-promoting videos to YouTube, using the stolen cookies to log in to the victim’s YouTube account and spread the bundle via their channel.

Code to upload the malicious videos
Code to upload the malicious videos (Kaspersky)

“It [upload.exe] uses the Puppeteer Node library, which provides a high-level API for managing Chrome and Microsoft Edge using the DevTools protocol,” explains Kaspersky in the report.

“When the video is successfully uploaded to YouTube, upload.exe sends a message to Discord with a link to the uploaded video.”

Generating the Discord notification
Generating the Discord notification (Kaspersky)

While the threat actor gets informed about the new upload, the channel owner is unlikely to realize they’re promoting malware on YouTube if they’re not very active on the platform.

This aggressive distribution method makes scrutiny and take-downs on YouTube even harder, as videos pointing to malicious downloads are uploaded from accounts that likely have a long-standing clean record.

Related Articles:

New Unfurling Hemlock threat actor floods systems with malware

Fake Google Chrome errors trick you into running malicious PowerShell scripts

Fake IT support sites push malicious PowerShell scripts as Windows fixes

Snowblind malware abuses Android security feature to bypass security

New Medusa malware variants target Android users in seven countries