Hackers Deliver Malware via YouTube Video Game Cracks

0
28

[ad_1]

Threat actors target home users with information-stealing malware like Vidar, StealC, and Lumma Stealer, which disguises the malware as pirated software and video game cracks in YouTube videos. 

The videos appear to instruct users on obtaining free software or game upgrades. Still, a link in the description leads to malware, where the attackers compromise legitimate accounts or create new ones specifically to distribute the malware. 

An example of a verified YouTube account with a large following, suspected to be compromised. 
An example of a verified YouTube account with a large following, is suspected to be compromised. 

The method is concerning because it targets younger users with games popular among children, who are less likely to recognize malicious content, as over two dozen such accounts and videos have been identified and reported to YouTube for takedown. 

Document

Stop Advanced Phishing Attack With AI

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Stopping 99% of phishing attacks missed by
other email security solutions. .

A verified YouTube channel had found a history of Thai content that abruptly switched to posting English videos with malicious links. 

Screenshot of a suspected compromised YouTube account distributing malware, comparing upload dates. 
Screenshot of a suspected compromised YouTube account distributing malware, comparing upload dates. 

The new videos, likely boosted by bots for legitimacy, offered pirated software and character enhancements for popular video games, whose descriptions contained links to password-protected archives (e.g., “Setup_Pswrd_1234.rar”) that deployed Vidar Stealer malware upon execution. 

Screenshot of a video description that includes instructions to disable antivirus. 
Screenshot of a video description that includes instructions to disable antivirus. 

Fake comments further bolstered the legitimacy of the malicious content, which included instructions to bypass antivirus software, highlighting the social engineering tactics employed by the attackers.  

Proofpoint found videos promoting fake Empress cracks for League of Legends, including instructions to download a RAR archive containing a malicious executable named “empress.exe” from a suspicious URL and used visual instructions to trick users into installing Vidar Stealer malware disguised as a game crack. 

Telegram link from Empress video. 
Telegram link from Empress video. 

Malware details with Command and Control Activity 

Malicious actors are distributing Vidar malware through YouTube videos containing links to password-protected, compressed executables hosted on MediaFire. 

Repeating bytes identified in a hex editor.  
Repeating bytes identified in a hex editor.  

The executables contain padding to bypass antivirus scanners and appear larger than they are, while Vidar retrieves its command and control instructions from social media accounts, including Telegram, Steam Community, and Tumblr. 

Vidar Stealer C2 check-in PCAP.  
Vidar Stealer C2 check-in PCAP.  

Accounts are identifiable by usernames containing alphanumeric characters followed by an IP address, which allows Vidar to blend in with regular network traffic. 

The link leads to a Discord post from the threat actor. 
The link leads to a Discord post from the threat actor. 

A malware distribution campaign targeted gamers as actors compromised YouTube accounts and used video descriptions to distribute Discord server links. 

List of “supported” games. 
List of “supported” games. 

The Discord server offered various game-specific malware disguised as cheats, in which downloaded files like “valoskin.zip” contained Lumma Stealer malware. At the same time, the campaign exemplifies a broader trend of information-stealing distribution via YouTube. 

Similarities in video content, delivery methods, and target audience (non-enterprise users) suggest a single actor or a group of collaborators. 

The provided indicators of compromise (IOCs) suggest a recent Lumma and Vidar malware campaign, where Lumma files (spoofer.exe, bypasser.exe) were disguised as legitimate applications (VALORANT.exe). 

Vidar used social engineering tactics, using a Steam profile and Telegram channel as C2 servers. Both malware families have been active since February 2024, and new samples appeared in March.  

Secure your emails in a heartbeat! To find your ideal email security vendor, Take a Free 30-Second Assessment.

[ad_2]

Source link