- Illegal software should be treated with extreme caution, Kaspersky researcher says.
- RedLine is currently one of the most common Trojans used to steal passwords and credentials from browsers, FTP clients and desktop messengers
- The stealer spreads in various ways, including through malicious spam e-mails and third-party loaders.
A malicious bundle containing the RedLine stealer and a miner is distributed on YouTube through cheats and cracks ads for popular games.
Discovered in March 2020, RedLine is currently one of the most common Trojans used to steal passwords and credentials from browsers, FTP clients and desktop messengers.
It is openly available on underground hacker forums for just a few hundred dollars, a relatively small price tag for malware.
Oleg Kupreev, Kaspersky researcher, said the stealer can pinch usernames, passwords, cookies, bank card details and autofill data from Chromium- and Gecko-based browsers, data from cryptowallets, instant messengers and FTP/SSH/VPN clients, as well as files with particular extensions from devices.
In addition, he said that RedLine can download and run third-party programs, execute commands in cmd.exe and open links in the default browser. The stealer spreads in various ways, including through malicious spam e-mails and third-party loaders.
“In addition to the payload itself, the discovered bundle is of note for its self-propagation functionality. Several files are responsible for this, which receive videos, and post them to the infected users’ YouTube channels along with the links to a password-protected archive with the bundle in the description,” he said.
Games mentioned
The videos advertise cheats and cracks and provide instructions on hacking popular games and software.
Among the games mentioned are APB Reloaded, CrossFire, DayZ, Dying Light 2, F1® 22, Farming Simulator, Farthest Frontier, FIFA 22, Final Fantasy XIV, Forza, Lego Star Wars, Osu!, Point Blank, Project Zomboid, Rust, Sniper Elite, Spider-Man, Stray, Thymesia, VRChat and Walken.
According to the analytical agency Newzoo, in 2022, the global gaming market is expected to exceed $200 billion, with three billion players online.
Kupreev said the original bundle is a self-extracting RAR archive containing a number of malicious files, clean utilities and a script to automatically run the unpacked contents
Right after unpacking, three executable files are run: cool.exe, ***.exe and AutoRun.exe. The first is the RedLine stealer. The second is a miner, which makes sense, since the main target audience, judging by the video, is gamers — who are likely to have video cards installed that can be used for mining.
The third executable file copies itself to the %APPDATA%\Microsoft\Windows\ Start Menu\Programs\Startup directory, which ensures automatic startup and runs the first of the batch files.
The batch files, in turn, run three other malicious files: MakiseKurisu.exe, download.exe and upload.exe.
These are the files responsible for the bundle’s self-distribution. On top of that, one of the batch files runs the nir.exe utility, which lets malicious executable files run without displaying any windows or taskbar icons.
Hackers’ agenda
Kupreev said that cybercriminals actively hunt for gaming accounts and gaming computer resources.
“The stealer-type malware is often distributed under the guise of game hacks, cheats and cracks. The self-spreading bundle with RedLine is a prime example of this: cybercriminals lure victims with ads for cracks and cheats, as well as instructions on how to hack games.
“At the same time, the self-propagation functionality is implemented using relatively unsophisticated software, such as a customised open-source stealer. All this is further proof, if any were needed, that illegal software should be treated with extreme caution,” he said.