A new malware bundle uses victims’ YouTube channels to upload malicious video tutorials advertising fake cheats and cracks for popular video games to spread the malicious package further.
The self-spreading malware bundle has been promoted in YouTube videos targeting fans playing FIFA, Final Fantasy, Forza Horizon, Lego Star Wars, and Spider-Man.
These uploaded videos contain links to download the fake cracks and cheats, but in reality, they install the same self-spreading malware bundle that infected the uploader.
A malware cocktail
In a new report by Kaspersky, researchers found a RAR archive containing a collection of malware, most notably RedLine, currently one of the most massively distributed information stealers.
RedLine can steal information stored in the victim’s web browser, such as cookies, account passwords, and credit cards, access instant messenger conversations, and compromise cryptocurrency wallets.
Additionally, a miner is included in the RAR archive, taking advantage of the graphics card of the victim, which they are very likely to have since they’re watching gaming videos on YouTube, to mine cryptocurrency for the attackers.
Thanks to the legitimate Nirsoft NirCmd utility in the bundle, named “nir.exe,” when launched, all executables will be hidden and not generate windows in the interface or any taskbar icons, so everything remains hidden from the victim.
The bundled infections and executables by themselves are not particularly interesting and are commonly used by threat actors in other malware distribution campaigns.
Self-propagating RedLine over YouTube
However, Kaspersky discovered an unusual and interesting self-propagation mechanism hiding in the archive that allows the malware to self-propagate to other victims on the Internet.
Specifically, the RAR contains batch files that run three malicious executables, namely “MakiseKurisu.exe”, “download.exe”, and “upload.exe”, which perform the bundle’s self-propagation.
The first one, MakiseKurisu, is a modified version of a widely available C# password stealer, used solely to extract cookies from browsers and store them locally.
The second executable, “download.exe”, is used for downloading a video from YouTube, which is a copy of the videos promoting the malicious bundle.
The videos are downloaded from links fetched from a GitHub repository to avoid pointing to video URLs that were reported and removed from YouTube.
Finally, “upload.exe” is used for uploading the malware-promoting videos to YouTube, using the stolen cookies to log in to the victim’s YouTube account and spread the bundle via their channel.
“It [upload.exe] uses the Puppeteer Node library, which provides a high-level API for managing Chrome and Microsoft Edge using the DevTools protocol,” explains Kaspersky in the report.
“When the video is successfully uploaded to YouTube, upload.exe sends a message to Discord with a link to the uploaded video.”
While the threat actor gets informed about the new upload, the channel owner is unlikely to realize they’re promoting malware on YouTube if they’re not very active on the platform.
This aggressive distribution method makes scrutiny and take-downs on YouTube even harder, as videos pointing to malicious downloads are uploaded from accounts that likely have a long-standing clean record.