Redline Stealer Malware Now Targets Gamers Via Popular YouTube Videos

According to a recent study by Kaspersky, Redline Stealer Malware is now targeting YouTube gaming channels. Thieves can steal usernames, passwords, cookies, credit card data, autofill data from Chromium and Gecko based browsers, data from crypto wallets, instant messengers, FTP clients /SSH/VPN and device-specific extensions. You can steal the files you have. Additionally, RedLine can download and run third-party programs, run commands in cmd.exe, and open links in your default browser. Thieves are spread in a variety of ways, including malicious spam emails and third party loaders.

How is this Redline Stealer malware spread?

The original package is a self-extracting RAR archive that includes several harmful files, safe programs and a script to automatically launch the unpacked contents. We have to hide several filenames due to the use of profanity by the bundle creators.

Three executable files are launched immediately after the decompression: cool.exe, ***.exe and AutoRun.exe. The first is the RedLine thief mentioned above. The second is a miner, which makes sense given that gamers, who are likely to have video cards installed that can be used for mining, are the primary target demographic if the video is to be believed. To ensure that the first batch file starts and runs automatically, the third executable file downloads to the %APPDATA%MicrosoftWindowsStart MenuProgramsStartup directory.

MakiseKurisu.exe, download.exe and upload.exe are three other malware launched by batch files. These are the files in charge of how the bundle distributes itself. The nir.exe tool is also launched by one of the batch files, allowing malicious executable files to run undetected by windows or taskbar icons.

The download.exe file has a huge size of 35 MB. However, it is basically a standard loader whose purpose is to download videos for uploading to YouTube, as well as files containing the description text and links to malicious archives. The executable file is large because it contains a NodeJS interpreter as well as the main application’s scripts and dependencies. The malware obtains file download links from the GitHub repository. In the most recent updates, a 7-Zip archive with videos and descriptions organized into directories is downloaded. The archive is unzipped using the included console version of 7-Zip.

MakiseKurisu.exe is a password stealer written in C# and customized for the needs of bundle creators. The GitHub source code was most likely used as a starting point: the file contains many standard flight features that are never used. Finding a debugger and virtual environment, sending information about the infected system to instant messengers, and stealing passwords are all examples.

So what is left and what are the changes? The only functional function of MakiseKurisu.exe is to extract cookies from browsers and store them in a separate file without sending the stolen data anywhere. The bundle accesses the infected user’s YouTube account via cookies, where it uploads the video.

The final malicious file in the bundle is upload.exe, which uploads the video previously uploaded with download.exe to YouTube. This file is also written in NodeJS. The Puppeteer Node library is used, which provides a high-level API for managing Chrome and Microsoft Edge through the DevTools protocol. Upload.exe sends a message to Discord with a link to the uploaded video when the video is successfully uploaded to YouTube.

Raymond T. Helms