A newly found malicious marketing campaign that distributes the RedLine Stealer infostealer comes with a really attention-grabbing self-propagation mechanism, researchers have discovered. 

Cybersecurity specialists from Kaspersky uncovered new malware (opens in new tab) that logs into the YouTube accounts of compromised customers and uploads a video to their channel, which distributes RedLine Infostealer.

A sufferer, ideally a PC gamer, finds a YouTube video on cracks, or cheats, for considered one of their favourite video games: both FIFA, Remaining Fantasy, Forza Horizon, Lego Star Wars, or Spider-Man. Within the video’s description are hyperlinks that declare to carry these cracks and cheats which, actually, host a number of malware bundled collectively.

Cryptojackers, infostealers

Within the bundle is RedLine Stealer, one of the vital standard infostealers these days, able to stealing (opens in new tab) passwords saved in individuals’s browsers, cookies, bank card particulars, prompt messaging conversations, and cryptocurrency wallets. 

The bundle additionally holds a cryptojacker, primarily a cryptocurrency miner which makes use of the computing energy of the compromised endpoint to mine sure cryptocurrency for the attackers. Cryptocurrency mining normally requires important GPU energy, one thing most players normally have.

However maybe most curiously, the bundle has three malicious executables, used for self-propagation. These are known as “MakiseKurisu.exe”, “obtain.exe”, and “add.exe”. MakiseKurisu is an infostealer that grabs browser cookies and shops them regionally. 

Then, obtain.exe would seize the faux crack video from a GitHub repository, and hand it over to add.exe, which might add it to the sufferer’s YouTube account, after utilizing cookies to log in.

If the sufferer isn’t an avid YouTube consumer, or has notifications turned off, there’s a good likelihood the malicious video may sit on their YouTube channel for a very long time, earlier than being taken down.

“When the video is efficiently uploaded to YouTube, add.exe sends a message to Discord with a hyperlink to the uploaded video,” Kaspersky explains.

• This is our rundown of one of the best firewalls (opens in new tab) out there now

By way of: BleepingComputer (opens in new tab)