Infostealer Being Distributed via YouTube

The ASEC analysis team has recently discovered an infostealer that is being distributed via YouTube. The attacker disguised the malware as a game hack for Valorant, and uploaded the following video with the download link for the malware, then guided the user to turn off the anti-malware program.

Figure 1. YouTube video disguised as a game hack for Valorant

The team has introduced another case of distribution disguised as a game hack or crack via YouTube in a previous ASEC blog post.

When users click the link to download the game hack program for Valorant, the following download page is displayed.

  • Download page URL: hxxps://anonfiles[.]com/J0b03cKexf
  • File download URL: hxxps://cdn-149.anonfiles[.]com/J0b03cKexf/bfb807d9-1646204724/Pluto%20Valornt%20cheat.rar
Figure 2. Download page

The downloaded compressed file “Pluto Valornt cheat.rar” contains an executable named “Cheat installer.exe”. Although its name appears to be of a game hack, it is actually an infostealer.

When the malware is executed, it collects basic information of the infected system as well as various user credentials such as screenshots, user account credentials saved to web browsers and VPN client programs, cryptocurrency wallet files, Discord tokens, and Telegram session files. The following is a list of targets to be stolen:

1. Basic information
– Computer name, user name, IP address, Windows version, system information (CPU, GPU, RAM, etc.), and list of processes

2. Web broswer
2.1. List of targeted web browsers
– Chrome, Edge, and Firefox
2.2. Stolen information
– Passwords, credit card numbers, AutoFill forms, bookmarks, and cookies

3. Cryptocurrency wallet file
– Armory, AtomicWallet, BitcoinCore, Bytecoin, DashCore, Electrum, Ethereum, LitecoinCore, Monero, Exodus, Zcash, and Jaxx

4. VPN client account credentials
4.1. List of targeted VPN clients
– ProtonVPN, OpenVPN, and NordVPN
4.2. Stolen information
– Account credentials

5. Others
5.1. FileZilla
– Host address, port number, user name, and passwords
5.2. Minecraft VimeWorld
– Account credentials, level, ranking, etc.
5.3. Steam
– Client session information
5.4. Telegram
– Client session information
5.5. Discord
– Token information

The attacker creates a compressed file of the stolen information above and sends it to themselves via Discord WebHooks API.

Figure 3. Stolen data and the compressed file of it
Figure 4. Routine that organizes stolen information

Using the WebHook API allows the malware to send the data and notification to a specific Discord server. In other words, the malware attaches the compressed file of the stolen information via the following WebHook URL to request POST, and the attacker can receive the stolen information and notification in the Discord server. The malware uses the following two WebHooks URLs of the attacker.

  • WebHook URL : hxxps://discordapp[.]com/api/webhooks/947181971019292714/gXE5T4ZQQF0yGOhuBSDhTkFXB0ut9ai71IZmOFvsdIaznalhyvQP0h45xCss-8W7KQCo
    UserAgent : log
    UserName : log
  • WebHook URL : hxxps://discord[.]com/api/webhooks/940299131098890301/RU4T0D4gNAYM0BZkAMMKQRwGBORfHiJUJ5lJ20Gd-s2yCIX9lXCbyB6yZ6zHUA5B-H42
    UserAgent : logloglog91
    UserName : logloglog91
Figure 5. Sending stolen information using Discord WebHook

A case of stealing information using Discord WebHook API was introduced in a previous ASEC blog post.

As explained in this post, malware can be installed through various platforms, therefore, users should refrain from downloading illegal programs and using suspicious websites or P2P and use genuine software at all times. Also, V3 should be updated to the latest version so that malware infection can be prevented.

[File Detection]
– Malware/Win.AY.C4396023 (2021.03.29.01)

[IOC]
File MD5
– 6649fec7c656c6ab0ae0a27daf3ebb8e

Malware Download
– Download page: hxxps://anonfiles[.]com/J0b03cKexf
– Malicious compressed file download URL: hxxps://cdn-149.anonfiles[.]com/J0b03cKexf/bfb807d9-1646204724/Pluto%20Valornt%20cheat.rar

Discord WebHooks URL
– hxxps://discordapp[.]com/api/webhooks/947181971019292714/gXE5T4ZQQF0yGOhuBSDhTkFXB0ut9ai71IZmOFvsdIaznalhyvQP0h45xCss-8W7KQCo
– hxxps://discord[.]com/api/webhooks/940299131098890301/RU4T0D4gNAYM0BZkAMMKQRwGBORfHiJUJ5lJ20Gd-s2yCIX9lXCbyB6yZ6zHUA5B-H42

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

0 0 votes
Article Rating
Subscribe
Notify of
guest

80 Comments
Inline Feedbacks
View all comments
trackback

[…] marketing campaign noticed by ASEC targets the gaming group of Valorant, a free first-person shooter for Windows, providing a […]

trackback

[…] campaign spotted by ASEC targets the gaming community of Valorant, a free first-person shooter for Windows, offering a link […]

trackback

[…] campaign spotted by ASEC targets the gaming community of Valorant, a free first-person shooter for Windows, offering a link […]

trackback

[…] marketing campaign noticed by ASEC targets the gaming neighborhood of Valorant, a free first-person shooter for Home windows, […]

trackback

[…] example was reported by Korean security specialists Asec, found via Bleeping Computer. The malware in this instance has been dubbed RedLine, and it wants to […]

trackback

[…] example was reported by Korean security specialists Asec, found via Bleeping Computer. The malware in this instance has been dubbed RedLine, and it wants to […]

trackback

[…] campaign spotted by ASEC targets the gaming community of Valorant, a free first-person shooter for Windows, offering a […]

trackback

[…] to provide hacks and cheats for games.This example was reported by Korean security specialists Asec, found via Bleeping Computer. The malware in this instance has been dubbed RedLine, and it wants to […]

trackback

[…] campaign spotted by ASEC targets the gaming community of Valorant, a free first-person shooter for Windows, offering a link […]

trackback

[…] campaign spotted by ASEC targets the gaming community of Valorant, a free first-person shooter for Windows, offering a link […]

trackback

[…] campaign spotted by ASEC targets the gaming community of Valorant, a free first-person shooter for Windows, offering a link […]

trackback

[…] by campaign a second Targets the gaming community of Valorant, a free first-person shooter for Windows that offers a […]

trackback

[…] example was reported by Korean security specialists A secondfound via Bleeping Computer. The malware in this case has been dubbed RedLine, and it wants to steal […]

trackback

[…] example was reported by Korean security specialists Asec, found via Bleeping Computer. The malware in this instance has been dubbed RedLine, and it wants to […]

trackback

[…] The campaign points to a download link for an aimbot for Valorant, a popular first-person shooter game by Riot. This abuse is relatively common as threat actors can easily bypass YouTube’s new content submission reviews or create new accounts altogether.  […]

trackback

[…] ASEC spotted the campaign, which targets the gaming community of Valorant, a free first-person shooter for Windows, which offers a link to download an auto-aiming bot in the video description. […]

trackback

[…] marketing campaign noticed by ASEC targets the gaming group of Valorant, a free first-person shooter for Home windows, providing a […]

trackback

[…] ASEC spotted the campaign, which targets the gaming community of Valorant, a free first-person shooter for Windows, which offers a link to download an auto-aiming bot in the video description. […]

trackback

[…] ASEC spotted the campaign, which targets the gaming community of Valorant, a free first-person shooter for Windows, which offers a link to download an auto-aiming bot in the video description. […]

trackback

[…] scoperta è stata fatta dagli specialisti in sicurezza coreani di Asec, i ricercatori hanno individuato dei link per scaricare il malware RedLine nella descrizione di un […]

trackback

[…] ASEC spotted the campaign, which targets the gaming community of Valorant, a free first-person shooter for Windows, which offers a link to download an auto-aiming bot in the video description. […]

trackback

[…] Beveiligingsonderzoekers van AhnLab Ik heb onlangs een video gepost Youtube Ik vond jullie over een hackspel boogschutter geïnformeerd, wat u zeker naar de overwinning zal helpen. […]

trackback

[…] Security researchers from AhnLab I recently posted a video Youtube I found you guys about a hack game archer informed, which will surely help you to victory. […]

trackback

[…] operation, that was unraveled by ASEC  targets the Valorant gaming community, a team-based first-person hero shooter set in the near […]

trackback

[…] alle informazioni più riservate. Ebbene, ora gli esperti di sicurezza dell’azienda Asec hanno trovato un nuovo metodo, molto rudimentale, ma […]

trackback

[…] to Korean security researchers at ASEC, some Valorant players are now being deceived into downloading and running software that is […]

trackback

[…] to Korean security researchers at ASEC, some Valorant players are now being deceived into downloading and running software that is […]

trackback

[…] to Korean security researchers at ASEC, some Valorant players are now being deceived into downloading and running software that is […]

trackback

[…] die in veel gevallen nuttige informatie met betrekking tot het onderwerp van de video aangeeft. Zuid-Koreaanse onderzoekers Ze hebben nu ontdekt dat kwaadwillenden weblinks misbruiken in beschrijvingen of ondertitels van […]

trackback

[…] at ASEC identified the campaign. When a person clicks on the download connection, they are taken to a obtain page. In this article, […]

trackback

[…] замеченная АСЕК предназначен для игрового сообщества Valorant, […]

trackback

[…] as South Korean security experts at AhnLab warn, you might be wise to resist the temptation to […]

trackback

[…] as South Korean safety specialists at AhnLab warn, you is likely to be clever to withstand the temptation to […]

trackback

[…] as South Korean security experts at AhnLab warn, you might be wise to resist the temptation to […]

trackback

[…] as South Korean security experts at AhnLab warn, you might be wise to resist the temptation to […]

trackback

[…] as South Korean security experts at AhnLab warn, you might be wise to resist the temptation to […]

trackback

[…] as South Korean security experts at AhnLab warn, you might be wise to resist the temptation to […]

trackback

[…] as South Korean security experts at AhnLab warn, you might be wise to resist the temptation to […]

trackback

[…] Mai multe informații și sursa: ASEC […]

trackback

[…] as South Korean safety specialists at AhnLab warn, you is perhaps smart to withstand the temptation to […]

trackback

[…] sebagai pakar keamanan Korea Selatan di AhnLab memperingatkanAnda mungkin bijaksana untuk menahan godaan untuk […]

trackback

[…] as South Korean security experts at AhnLab warn, you might be wise to resist the temptation to […]

trackback

[…] content submission reviews, or simply create new accounts when old ones are reported and blocked.ASEC spotted the campaign, which targets the gaming community of Valorant, a free first-person shooter […]

trackback

[…] to Korean security researchers SecSome Valorant players are now tricked into downloading and running software known as hacking on […]

trackback

[…] ASEC spotted the campaign, which targets the gaming community of Valorant, a free first-person shooter for Windows, which offers a link to download an auto-aiming bot in the video description. […]

trackback

[…] to Oriental safety and security scientists at ASEC, some Valorant gamers are currently being tricked right into downloading and install and also […]

trackback

[…] to Korean security researchers in ASEC, some Valorant players are now being tricked into downloading and running software that is […]

trackback

[…] at their fellow rivals or even auto-shoot.However, as South Korean security experts at AhnLab warn, you might be wise to resist the temptation to cheat.According to the security researchers, malware […]