Researchers have discovered that a malicious activity that distributes the RedLine Stealer infostealer comes with a very interesting self-propagation mechanism.
Kaspersky''s cybersecurity experts discovered new malware (opens in a new tab) that connects into the YouTube accounts of compromised users and uploads a video to their channel, which distributes RedLine Infostealer.
A victim, ideally a PC gamer, discovers a YouTube video on cracks, or cheats, for their favorite games: either FIFA, Final Fantasy, Forza Horizon, Lego Star Wars, or Spider-Man. In the videos description, there are links that claim to hold those cracks and cheats, which, in turn, assemble numerous malicious actions.
RedLine Stealer, one of the most popular infostealers today, is capable of defrauding (opens in new tab) passwords stored in peoples browsers, cookies, credit card information, instant messaging conversations, and cryptocurrency wallets.
A cryptojacker is also available in the bundle, which is essentially a cryptocurrency mining machine that uses the computing power of the compromised endpoint to mine certain cryptocurrency for the attackers. Cryptocurrency mining usually requires substantial GPU power, something most gamers prefer.
The bundle of tools, including a download.exe, and a server, has three malicious executables used for self-propagation. These include MakiseKurisu.exe, download.exe, and an upload.exe. MakiseKurisu is an informationstealer who collects browser cookies and stores them locally.
After using cookies to login, download.exe would grab the fake crack video from a GitHub repository. It was then passed to upload.exe, which would then upload it to the victims YouTube account.
If the victim is an avid YouTube user or has notification turned off, there is a good chance that the malicious video may last for a long time before being removed.
Upload.exe sends a message to Discord with a link to the uploaded video, according to Kaspersky.