3 April 2024

Hackers deliver info-stealing malware via YouTube video game cracks


Hackers deliver info-stealing malware via YouTube video game cracks

Threat actors are disseminating malware through YouTube channels masquerading as sources for cracked and pirated video games, according to new findings from Proofpoint's Emerging Threats division.

Multiple YouTube channels have been identified as being used for malware distribution, with video descriptions containing links leading to the download of malicious payloads. The malware, which includes notorious variants such as Vidar, StealC, and Lumma Stealer, is designed to steal sensitive information from users' systems.

The attacks appear to target common users lacking enterprise-grade security measures on their personal computers, the company said.

The threat actors behind these campaigns employ a sophisticated modus operandi, involving compromised YouTube accounts, some of which were likely acquired from legitimate users. The hacked accounts are utilized to host videos promoting cracked software and game hacks. Additionally, the researchers observed the threat actors creating transitory accounts used solely for malware distribution.

“In one example, a video purported to contain a character enhancement for a popular video game with a MediaFire link in the description. The MediaFire URL led to a password-protected file (Setup_Pswrd_1234.rar) containing an executable (Setup.exe) that, if executed, downloaded and installed Vidar Stealer malware,” Proofpoint wrote in a technical analysis.

The threat research team said it has identified over two dozen accounts and videos disseminating malware. Indicators suggesting the account was compromised include suspicious behaviors, such as sudden shifts in content and language, significant gaps of time between the videos posted, and content that vastly differs from previously published videos.

The researchers have also uncovered an alternative method of payload distribution via Discord URLs embedded in video descriptions. Threat actors manage Discord servers tailored to specific games, offering users downloadable files along with installation instructions.

Proofpoint has not attributed the observed activity to any specific threat actor.

“The techniques used are similar, however, including the use of video descriptions to host URLs leading to malicious payloads and providing instructions on disabling antivirus, and using similar file sizes with bloating to attempt to bypass detections. Based on the similarities of the video content, payload delivery, and deception methods, Proofpoint assesses that the actors are consistently targeting non-enterprise users,” the researchers said, adding that they haven’t been able to determine how the accounts were compromised in the first place.

Back to the list

Latest Posts

Rockstar 2FA phishing-as-a-service targets Microsoft 365 users with AiTM attacks

Rockstar 2FA phishing-as-a-service targets Microsoft 365 users with AiTM attacks

Rockstar 2FA appears to be an updated version of the DadSec (also known as Phoenix) phishing kit.
2 December 2024
Phishing campaign targeting tax professionals in Ukraine with Litemanager malware

Phishing campaign targeting tax professionals in Ukraine with Litemanager malware

CERT-UA attributes the activity to the financially motivated group UAC-0050.
2 December 2024
Hackers steal $17M from Uganda's central bank

Hackers steal $17M from Uganda's central bank

The attackers breached the central bank’s IT systems earlier this month and transferred the funds to various accounts.
2 December 2024