Kaspersky researchers have discovered an unconventional malicious bundle targeting gamers on YouTube (a collection of malicious programs distributed as a single installer, self-extracting archive, or other file containing installer functionality) Has detected. The main payload is Redline Stealer, one of the most common Trojans used to steal passwords and credentials from browsers.

Cyber ​​criminals actively hunt to exploit game accounts and resources of powerful gaming PCs. Thief-type malware is often distributed under the guise of illegal games, cheats, and cracked software, as Kaspersky experts noted in their latest review of gaming-related cyberthreats. This time, researchers discovered a different type of malicious activity associated with the game: attackers post poisonous packages on victims’ YouTube channels under the guise of game-related content, along with a link to a self-extracting RAR archive in the video description. The archive contains several malicious files, including the infamous RedLine thief.

The thief loots usernames, passwords, cookies, bank card details, autofill data from Chromium and Gecko-based browsers, data from crypto wallets, instant messengers and FTP/SSH/VPN clients, and files with certain extensions on devices. RedLine can also download and run third-party programs, run commands with cmd.exe, and open links in the default browser. The thief spreads in various ways, including malicious spam emails and third-party installers.

In addition to the RedLine payload itself, the discovered package contains notable features due to its self-propagating ability. Several files in the package in the description are responsible for this. It records videos and sends them to the infected users’ YouTube channels, along with links to the password-protected archive. The videos advertise cheats and cracked software and provide instructions on how to hack popular games and software. Games mentioned include APB Reloaded, CrossFire, DayZ, Dying Light 2, F1® 22, Farming Simulator, Farthest Frontier, FIFA 22, Final Fantasy XIV, Forza, Lego Star Wars, Osu!, Point Blank, Project Zomboid, Rust, Sniper Elite, Spider-Man, Stray, Thymesia, VRChat and Walken.

After victims download the original package, the RAR archive will be extracted by itself. The package contains a set of malicious files, clean utilities and a script to run the contents automatically. Some file names contain inappropriate language.

Another element that caught the attention of researchers is pirate miners. This makes sense, since the main audience watching the video is gamers, as they probably have graphics cards that can be used for mining.

Kaspersky Senior Security Researcher Oleg Kupreevsay: “Gamers are one of the most popular groups targeted by cyber criminals. This time, attackers are using game-related content as bait to steal victims’ login credentials and mine it from their computers. Our advice would be to carefully choose the sources to satisfy your gaming hunger and not to download suspicious archives from untrusted accounts.

You can learn more about game-related Redline attacks on the Securelist website.

To protect yourself from malware hidden in open source packages, Kaspersky recommends the following:

• Open source repositories allow anyone to publish their own packages, and not all of them are secure. For example, attackers can impersonate popular open source packages by changing a few letters so that the user thinks they have downloaded the original package. Therefore, we advise you to exercise caution and not treat these packages as trustworthy.
• In general, development environments are suitable targets for attackers attempting to stage supply chain attacks. This requires urgent protection of such environments with powerful tools such as Kaspersky Hybrid Cloud Security.
• To be the first to know about new malicious campaigns spreading through open source code, subscribe to threat intelligence feeds and reports, such as those available through our Threat Intelligence Portal.

Source: (BYZHA) – Beyaz News Agency