How YouTube videos are being used to deliver a set of unusual malware to gamers

YouTube is being used to distribute a new set of malware, but probably not in the way you’d expect. The videos promote cracks and cheats for several popular games, but the links in the video description expose viewers to malware downloads. The malware itself spreads these videos by taking over user accounts to download more copies. It also steals anything not nailed down in the process.

The malware campaign targets gaming fans like Fifa, Final Fantasy, Forza Horizon, Lego Star Warsand

Spider Man. While users think they are downloading hacks for the game, they are actually downloading a ZIP file crawling with malware. It includes, among other things, the RedLine data stealer, which can access passwords, cryptocurrency wallets, etc. There is also a crypto-miner that uses the victim’s GPU to mine digital currency. There is little indication of running these processes on the computer, as the archive also includes a legitimate Windows utility called NirCmd which hides windows and system tray icons generated by the malware .

The real star of the show is a trio of malicious executables: MakiseKurisu.exe, download.exe, and upload.exe. MakiseKurisu is a password stealer that extracts cookies from user’s browser, especially YouTube login. Then “upload” will pull the bait video and description text from a GitHub repository, then “upload” will post it to YouTube along with the stolen account information. Eventually someone else comes along, downloads the linked archive, and it all starts again.

Yes, nothing suspicious there.

The aggressive propagation mechanism makes it difficult to delete all copies of the video, but it’s surprisingly easy to avoid – all you need is a bit of common sense. The video descriptions include installation instructions for the alleged tricks, and one of them is “disable your antivirus”. Even casual Internet users should now know that anyone telling you to disable your antivirus and install some mysterious file is not up to the job. And yet, the malware continues to spread.

According to Kaspersky SecureList, Google is aware of the campaign and is terminating channels uploading the videos for violating community guidelines. So, trying to download game cracks not only steals all your personal data, but also loses your YouTube account.

**Editor’s note: We’ve teamed up with Cheat Happens for a fantastic promotion of five GeForce RTX 3080 video cards. Cheat Happens creates legit cheats and trainers for single-player games only. It has been in business for over two decades and has a strict no-multiplayer policy. Even for gray area games like Elden Ring, Cheat Happens only supports offline use.

Raymond T. Helms