Self-Spreading Malware

Gamers looking for cheats on YouTube are being targeted with links to rogue password-protected archive files designed to install crypto miners and information-stealing malware such as RedLine Stealer on compromised machines.

"The videos advertise cheats and cracks and provide instructions on hacking popular games and software," Kaspersky security researcher Oleg Kupreev said in a new report published today.

CyberSecurity

Games mentioned in the videos are APB Reloaded, CrossFire, DayZ, Farming Simulator, Farthest Frontier, FIFA 22, Final Fantasy XIV, Forza, Lego Star Wars, Sniper Elite, and Spider-Man, among others.

Game Malware

Downloading the self-extracting RAR archive leads to the execution of Redline Stealer, a coin miner, as well as a number of other binaries that enable the bundle's self-propagation.

Specifically, this is achieved by means of an open-source C#-based password stealer that's capable of extracting cookies from browsers, which is then used by the operators to gain unauthorized access to the victim's YouTube account and upload a video with a link to the malicious archive.

Game Malware

Once a video is successfully uploaded to YouTube, one of the executables in the archive transmits a message to Discord with a link to the uploaded video.

CyberSecurity

The findings come as the total number of users who encountered gaming-related malware and unwanted software from July 1, 2021, through June 30, 2022 touched nearly 385,000, with over 91,000 files distributed under the guise of games such as Minecraft, Roblox, Need for Speed, Grand Theft Auto, and Call of Duty.

"Cybercriminals actively hunt for gaming accounts and gaming computer resources," Kupreev said. "Stealer-type malware is often distributed under the guise of game hacks, cheats, and cracks. All this is further proof, if any were needed, that illegal software should be treated with extreme caution."


Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.