In order to further propagate its malicious package, a new malware packs exploits the YouTube channels of its victims. They lure to produce malicious video tutorials promoting phoney cheats and cracks for well-known video games.

In YouTube videos aimed toward FIFA, Final Fantasy, Forza Horizon, Lego Star Wars, and Spider-Man players. They self-propagating malware bundle has been pushed.

The links in these posted films direct users to phoney cracks and cheats. But they instead download and set up the same malicious software package that infected the uploader.

Malware cocktails

Researchers from Kaspersky discovered a RAR bundle containing several malicious programmes, most notably RedLine. Redline is one of the most widely dispersed data thieves at the moment.

RedLine has the ability to view instant messaging conversations, infiltrate cryptocurrency wallets, and steal data from the victim’s web browser. They include cookies, account passwords, and credit card information.

The RAR archive also contains a miner that uses the victim’s graphics card, which is quite likely to be present. They are viewing gaming videos on YouTube, to generate cryptocurrency for the attackers.

All executables will be hidden when they are launched and won’t produce any taskbar icons or windows in the user interface. Thanks to the genuine Nirsoft NirCmd tool called “nir.exe” that is included in the bundle.

Threat actors frequently employ the bundled infections and executables in other malware distribution operations. Because they are not especially intriguing on their own.

Self-propagating RedLine over YouTube

However, Kaspersky found a peculiar and intriguing self-propagation mechanism in the package that enables the malware to spread to further Internet victims. Three malicious executables, “MakiseKurisu.exe,” “download.exe,” and “upload.exe,” are used to spread the bundle. These are specifically launched by batch files found in the RAR.

The first one, called MakiseKurisu, is a modified version of a popular C# password stealer. That is only used to remove cookies from browsers and save them locally.

The second executable, “download.exe,” is used to download a YouTube video that is a duplicate of the videos used to advertise the harmful bundle.

To avoid connecting to video URLs that have been reported and removed from YouTube, the videos are obtained via links retrieved from a GitHub repository.

The malware-promoting videos are then uploaded to YouTube using “upload.exe,” which logs into the victim’s YouTube account using the stolen cookies to distribute the bundle through their channel.

According to Kaspersky’s analysis, “It [upload.exe] leverages the Puppeteer Node library, which offers a high-level API for operating Chrome and Microsoft Edge through the DevTools protocol.”

“Upload.exe sends a message to Discord with a URL to the uploaded video after the video is successfully posted to YouTube.”

The channel owner may not be aware they are pushing malware on YouTube if they are not very active on the platform. Even while the threat actor is told about the new upload.

Since films linking to malware downloads are uploaded from accounts with a lengthy history of good behaviour. This aggressive distribution strategy makes monitoring and takedowns on YouTube much more difficult.