Infostealer Being Distributed via YouTube

The ASEC analysis team has recently discovered an infostealer that is being distributed via YouTube. The attacker disguised the malware as a game hack for Valorant, and uploaded the following video with the download link for the malware, then guided the user to turn off the anti-malware program.

Figure 1. YouTube video disguised as a game hack for Valorant

The team has introduced another case of distribution disguised as a game hack or crack via YouTube in a previous ASEC blog post.

When users click the link to download the game hack program for Valorant, the following download page is displayed.

  • Download page URL: hxxps://anonfiles[.]com/J0b03cKexf
  • File download URL: hxxps://cdn-149.anonfiles[.]com/J0b03cKexf/bfb807d9-1646204724/Pluto%20Valornt%20cheat.rar
Figure 2. Download page

The downloaded compressed file “Pluto Valornt cheat.rar” contains an executable named “Cheat installer.exe”. Although its name appears to be of a game hack, it is actually an infostealer.

When the malware is executed, it collects basic information of the infected system as well as various user credentials such as screenshots, user account credentials saved to web browsers and VPN client programs, cryptocurrency wallet files, Discord tokens, and Telegram session files. The following is a list of targets to be stolen:

1. Basic information
– Computer name, user name, IP address, Windows version, system information (CPU, GPU, RAM, etc.), and list of processes

2. Web broswer
2.1. List of targeted web browsers
– Chrome, Edge, and Firefox
2.2. Stolen information
– Passwords, credit card numbers, AutoFill forms, bookmarks, and cookies

3. Cryptocurrency wallet file
– Armory, AtomicWallet, BitcoinCore, Bytecoin, DashCore, Electrum, Ethereum, LitecoinCore, Monero, Exodus, Zcash, and Jaxx

4. VPN client account credentials
4.1. List of targeted VPN clients
– ProtonVPN, OpenVPN, and NordVPN
4.2. Stolen information
– Account credentials

5. Others
5.1. FileZilla
– Host address, port number, user name, and passwords
5.2. Minecraft VimeWorld
– Account credentials, level, ranking, etc.
5.3. Steam
– Client session information
5.4. Telegram
– Client session information
5.5. Discord
– Token information

The attacker creates a compressed file of the stolen information above and sends it to themselves via Discord WebHooks API.

Figure 3. Stolen data and the compressed file of it
Figure 4. Routine that organizes stolen information

Using the WebHook API allows the malware to send the data and notification to a specific Discord server. In other words, the malware attaches the compressed file of the stolen information via the following WebHook URL to request POST, and the attacker can receive the stolen information and notification in the Discord server. The malware uses the following two WebHooks URLs of the attacker.

  • WebHook URL : hxxps://discordapp[.]com/api/webhooks/947181971019292714/gXE5T4ZQQF0yGOhuBSDhTkFXB0ut9ai71IZmOFvsdIaznalhyvQP0h45xCss-8W7KQCo
    UserAgent : log
    UserName : log
  • WebHook URL : hxxps://discord[.]com/api/webhooks/940299131098890301/RU4T0D4gNAYM0BZkAMMKQRwGBORfHiJUJ5lJ20Gd-s2yCIX9lXCbyB6yZ6zHUA5B-H42
    UserAgent : logloglog91
    UserName : logloglog91
Figure 5. Sending stolen information using Discord WebHook

A case of stealing information using Discord WebHook API was introduced in a previous ASEC blog post.

As explained in this post, malware can be installed through various platforms, therefore, users should refrain from downloading illegal programs and using suspicious websites or P2P and use genuine software at all times. Also, V3 should be updated to the latest version so that malware infection can be prevented.

[File Detection]
– Malware/Win.AY.C4396023 (2021.03.29.01)

[IOC]
File MD5
– 6649fec7c656c6ab0ae0a27daf3ebb8e

Malware Download
– Download page: hxxps://anonfiles[.]com/J0b03cKexf
– Malicious compressed file download URL: hxxps://cdn-149.anonfiles[.]com/J0b03cKexf/bfb807d9-1646204724/Pluto%20Valornt%20cheat.rar

Discord WebHooks URL
– hxxps://discordapp[.]com/api/webhooks/947181971019292714/gXE5T4ZQQF0yGOhuBSDhTkFXB0ut9ai71IZmOFvsdIaznalhyvQP0h45xCss-8W7KQCo
– hxxps://discord[.]com/api/webhooks/940299131098890301/RU4T0D4gNAYM0BZkAMMKQRwGBORfHiJUJ5lJ20Gd-s2yCIX9lXCbyB6yZ6zHUA5B-H42

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

0 0 votes
Article Rating
guest
70 Comments
Inline Feedbacks
View all comments
trackback

[…] Korean security analysts have spotted a malware distribution campaign that uses video game ‘cheat’ baits on YouTube to trick players into downloading RedLine, a powerful information stealing piece of malware. The video game, Valorant, is a free first-person shooter available on PC. The video on YouTube shows someone how to install an ‘aimbot’, which is software integrated with the game that automatically points the player’s weapon at any opposing player without the player’s input at all. This essentially allows skill-less players to dominate and escalate the rankings easily. […]

trackback

[…] under a video that in many cases points to useful information related to the topic of the video. South Korean researchers have now discovered that malicious parties are abusing web links in the description or subtitles of […]

trackback

[…] security experts from the company warned about this Asec. The malware they warned about is called RedLine, and if it is found on your device, it will try to […]

trackback

[…] promoting fake cheat softwareAccording to Korean security researchers at ASEC, some Valorant players are now being deceived into downloading and running software that is […]

trackback

[…] is attracting the attention of scammers. It’s reported that a malware distribution campaign is leveraging YouTube to push infection files. The campaign distributes a file known for password theft, and hunts for those passwords in […]

trackback

[…] to Korean security researchers at A SECOND, some Valorant players are now tricked into downloading and running software that is promoted on […]

trackback

[…] is attracting the attention of scammers. It’s reported that a malware distribution campaign is leveraging YouTube to push infection files. The campaign distributes a file known for password theft, and hunts for those passwords in […]

trackback

[…] is attracting the attention of scammers. It’s reported that a malware distribution campaign is leveraging YouTube to push infection files. The campaign distributes a file known for password theft, and hunts for those passwords in […]

trackback

[…] ASEC spotted the campaign, which targets the gaming community of Valorant, a free first-person shooter for Windows, which offers a link to download an auto-aiming bot in the video description. […]

trackback

[…] is attracting the attention of scammers. It’s reported that a malware distribution campaign is leveraging YouTube to push infection files. The campaign distributes a file known for password theft, and hunts for those passwords in […]

trackback

[…] at their fellow rivals or even auto-shoot.However, as South Korean security experts at AhnLab warn, you might be wise to resist the temptation to cheat.According to the security researchers, malware […]

trackback

[…] Disfrazado de complemento del videojuego Valorant, hackers están distribuyendo a través de YouTube un malware llamado RedLine, enfocado en el robo de datos personales. Las luces de alerta fueron encendidas desde Corea del Sur por la firma especializada en ciberseguridad AhnLab. […]

trackback

[…] Disfrazado de complemento del videojuego Valorant, hackers están distribuyendo a través de YouTube un malware llamado RedLine, enfocado en el robo de datos personales. Las luces de alerta fueron encendidas desde Corea del Sur por la firma especializada en ciberseguridad AhnLab. […]

trackback

[…] Disfrazado de complemento del videojuego Valorant, algunos hackers distribuyen a través de YouTube un malware llamado RedLine, el cual está enfocado en el robo de datos personales. Las luces de alerta fueron encendidas desde Corea del Sur por la firma especializada en ciberseguridad AhnLab. […]

trackback

[…] Il team di analisi dell’ASEC ha recentemente scoperto un infostealer che verrebbe distribuito tramite YouTube. L’attaccante in questo caso avrebbe mascherato il malware come una versione craccata del noto videogame sparatutto “Valorant”, caricando il presunto video promozionale corredato con il link per il download sulla nota piattaforma video. […]

trackback

[…] as South Korean security experts at AhnLab warn, you might be wise to resist the temptation to […]

trackback

[…] Korean security analysts have confirmed malware is being distributed via video game ‘cheat’ baits on YouTube. Players are tricked into downloading video game cheats that promise to give them strategic advantages in online video games.  However, once downloaded and installed on a player’s machine, the hacker code steals valuable data from the machine or worse, installs crypto-mining or other malware onto these often very powerful gaming machines. […]

trackback

[…] at ASEC discovered the campaign. When a user clicks on the download link, they are taken to a download page. Here, they can […]

trackback

[…] at their fellow rivals or even auto-shoot.However, as South Korean security experts at AhnLab warn, you might be wise to resist the temptation to cheat.According to the security researchers, malware […]