Hackers spread malware through YouTube channels promoting game cheats

Hot potato: Gamers looking to download cheats and cracks should beware of links in YouTube video descriptions. Hackers may have compromised channels hosting videos, turning them into vectors for malware that can steal login credentials.

New report from Kaspersky describes malware campaign targeting gamers via YouTube. Malware can steal various credentials from the victim’s system and then use them to fool more users. In March 2020, Kaspersky Lab discovered a Trojan that combines several malware that hackers used to spread via spam emails or third-party downloaders.

Once activated, the payload, also known as RedLine, can steal data from Chrome, Firefox, and Chromium browsers, including autofill information, usernames, passwords, cookies, and banking credentials. It can also steal information from crypto wallets, instant messaging software, FTP, SSH and VPN clients. In addition, malware can open links in the system’s default browser to download and open programs.

From there, malware can spread in an even more complex pattern. It uploads videos to the victim’s computer advertising cheats and cracks for many popular PC games, and then uploads them to the victim’s YouTube channel. The descriptions of the downloaded videos contain links ostensibly leading to the advertised hacks, but instead they lead to the Trojan that downloaded the video.

The videos mention games like Final Fantasy XIV, Forza, Lego Star Wars, Rust, Spider-Man, Stray, VRChat, DayZ, F1 22, Farming Simulator and more.

YouTube has already shut down compromised channels, but users should be on the lookout for suspicious links on the site so that this distribution method doesn’t become more popular in the future.

The payload also contains cryptocurrency mining software. Gamers most likely have powerful GPUs installed that can mine cryptocurrency. Luckily, after this year’s cryptocurrency crash and the Ethereum “merger”, it’s much less likely that hackers will keep looking for graphics cards to mine as it’s become less profitable, so maybe this could be one security risk to worry about.

Users who are actively seeking to defend themselves against this malware or who believe they are already victims should be aware that the RedLine Trojan contains files with the following names: Makisekurisu.exe, cool.exe, AutoRun.exe, download.exe, and upload. executable. AutoRun copies itself to the %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup directory, causing it to run every time Windows starts.