RedLine spreads through ads for cheats and cracks on YouTube

UPD: A notice on Google’s response to the issue was added.

An unusual malicious bundle (a collection of malicious programs distributed in the form of a single installation file, self-extracting archive or other file with installer-type functionality) recently caught our eye. Its main payload is the widespread RedLine stealer. Discovered in March 2020, RedLine is currently one of the most common Trojans used to steal passwords and credentials from browsers, FTP clients and desktop messengers. It is openly available on underground hacker forums for just a few hundred dollars, a relatively small price tag for malware.

The stealer can pinch usernames, passwords, cookies, bank card details and autofill data from Chromium- and Gecko-based browsers, data from cryptowallets, instant messengers and FTP/SSH/VPN clients, as well as files with particular extensions from devices. In addition, RedLine can download and run third-party programs, execute commands in cmd.exe and open links in the default browser. The stealer spreads in various ways, including through malicious spam e-mails and third-party loaders.

The bundle: what’s inside beside RedLine

In addition to the payload itself, the discovered bundle is of note for its self-propagation functionality. Several files are responsible for this, which receive videos, and post them to the infected users’ YouTube channels along with the links to a password-protected archive with the bundle in the description. The videos advertise cheats and cracks and provide instructions on hacking popular games and software. Among the games mentioned are APB Reloaded, CrossFire, DayZ, Dying Light 2, F1® 22, Farming Simulator, Farthest Frontier, FIFA 22, Final Fantasy XIV, Forza, Lego Star Wars, Osu!, Point Blank, Project Zomboid, Rust, Sniper Elite, Spider-Man, Stray, Thymesia, VRChat and Walken. According to Google, the hacked channels were quickly terminated for violation of the company’s Community Guidelines.

Examples of videos spreading the bundle

Examples of videos spreading the bundle

The original bundle is a self-extracting RAR archive containing a number of malicious files, clean utilities and a script to automatically run the unpacked contents. Because of the expletives used by the bundle’s creators, we had to hide some file names.

Contents of the self-extracting archive

Contents of the self-extracting archive

Right after unpacking, three executable files are run: cool.exe, ***.exe and AutoRun.exe. The first is the RedLine stealer mentioned above. The second is a miner, which makes sense, since the main target audience, judging by the video, is gamers — who are likely to have video cards installed that can be used for mining. The third executable file copies itself to the %APPDATA%MicrosoftWindowsStart MenuProgramsStartup directory, which ensures automatic startup and runs the first of the batch files.

The batch files, in turn, run three other malicious files: MakiseKurisu.exe, download.exe and upload.exe. These are the files responsible for the bundle’s self-distribution. On top of that, one of the batch files runs the nir.exe utility, which lets malicious executable files run without displaying any windows or taskbar icons.

Contents of the first and second batch files

Contents of the first and second batch files

The size of the download.exe file is an impressive 35 MB. However, it’s basically a regular loader whose purpose is to download videos for uploading to YouTube, as well as files with the description text and links to the malicious archive. The executable file is large because it is a NodeJS interpreter glued together with the scripts and dependencies of the main application. The malware takes the file download links from a GitHub repository. In the latest modifications, a 7-Zip archive with videos and descriptions organized into directories is downloaded. The archive is unpacked using the console version of 7-Zip, included in the bundle.

Contents of the 7-Zip archive

Contents of the 7-Zip archive

MakiseKurisu.exe is a password stealer written in C# and modified to suit the needs of the bundle’s creators. The source code from GitHub was likely taken as the basis: the file contains many standard stealer features that are not used in any way. These include checking for a debugger and for a virtual environment, sending information about the infected system to instant messengers, and stealing passwords.

So, what remains and what do the changes amount to? The only working function in MakiseKurisu.exe is extracting cookies from browsers and storing them in a separate file without sending the stolen data anywhere. It is precisely through cookies that the bundle gains access to the infected user’s YouTube account, where it uploads the video.

The last malicious file in the bundle is upload.exe, which uploads the video previously downloaded using download.exe, to YouTube. This file is also written in NodeJS. It uses the Puppeteer Node library, which provides a high-level API for managing Chrome and Microsoft Edge using the DevTools protocol. When the video is successfully uploaded to YouTube, upload.exe sends a message to Discord with a link to the uploaded video.

Code for video uploading

Code for video uploading

Code for sending notification to Discord

Code for sending notification to Discord

Conclusion

Cybercriminals actively hunt for gaming accounts and gaming computer resources. As we noted in our overview of gaming-related cyberthreats, stealer-type malware is often distributed under the guise of game hacks, cheats and cracks. The self-spreading bundle with RedLine is a prime example of this: cybercriminals lure victims with ads for cracks and cheats, as well as instructions on how to hack games. At the same time, the self-propagation functionality is implemented using relatively unsophisticated software, such as a customized open-source stealer. All this is further proof, if any were needed, that illegal software should be treated with extreme caution.

IoC

MD5 hashes
32dd96906f3e0655768ea09d11ea6150
1d59f656530b2d362f5d540122fb2d03
6ebe294142d34c0f066e070560a335fb
64b4d93889661f2ff417462e95007fb4
b53ea3c1d42b72b9c2622488c5fa82ed
ac56f398a5ad9fb662d8b04b61a1e4c5
f80abd7cfb638f6c69802e7ac4dcf631
e59e63cdaec7957e68c85a754c69e109
9194c2946e047b1e5cb4865a29d783f4
f9d443ad6937724fbd0ca507bb5d1076
7cd4f824f61a3a05abb3aac40f8417d4

Links to archives with the original bundle
hxxps://telegra[.]ph/2022-July-07-27
hxxps://telegra[.]ph/DayZ-Eazy-Menu-06-24
hxxps://telegra[.]ph/Cossfire-cheat-06-24
hxxps://telegra[.]ph/APB-Reloaded-hack-05-29
hxxps://telegra[.]ph/Forza-Horizon-5-Hack-Menu-07-13
hxxps://telegra[.]ph/Point-Blank-Cheat-05-29
hxxps://telegra[.]ph/Project-Zomboid-Private-Cheat-06-26
hxxps://telegra[.]ph/VRChat-Cheat-04-24

Links to GitHub
hxxps://github[.]com/AbdulYaDada/fdgkjhfdguoerldifgj
hxxps://raw.githubusercontent[.]com/AbdulYaDada/fdgkjhfdguoerldifgj/

RedLine C2
45.150.108[.]67:80

Source: https://securelist.com/self-spreading-stealer-attacks-gamers-via-youtube/107407/