Threat Research

Infostealer Being Distributed via YouTube – ASEC BLOG

Securonix

ASEC researchers uncovered an infostealer that is being distributed through YouTube disguised as a Valorant game hack, with instructions to disable anti-malware protections. The malware collects system information, browser credentials, cryptocurrency wallet files, VPN client credentials, and other sensitive data, then exfiltrates it via Discord WebHooks to the attacker. #PlutoValorntCheat #DiscordWebHooks #anonfiles #ValorantHack #ASEC #AhnLab

Keypoints

  • Infostealer distributed via a YouTube video, masquerading as a Valorant game cheat, with a download link and instruction to turn off anti-malware.
  • Download page hosted on anonfiles and a payload named Pluto Valornt cheat.rar containing an executable named Cheat installer.exe that is actually malware.
  • Malware runs to collect basic system info, browser credentials (Chrome, Edge, Firefox), and data such as passwords, credit card numbers, Autofill data, bookmarks, and cookies.
  • Targets include cryptocurrency wallet files from multiple wallets, VPN client credentials (ProtonVPN, OpenVPN, NordVPN), plus data from FileZilla, Minecraft VimeWorld, Steam, Telegram, and Discord tokens.
  • Stolen data is compressed and exfiltrated back to the attacker via Discord WebHooks, with two WebHook URLs provided in the article.
  • The case reiterates the need to avoid illegal downloads and to keep software updated (V3) to reduce infection risk.

MITRE Techniques

  • [T1036] Masquerading – The malware is disguised as a game hack; “Although its name appears to be of a game hack, it is actually an infostealer.”
  • [T1204.002] User Execution – Malicious file executed by the user when launching the cheat installer; “When the malware is executed, it collects…”
  • [T1082] System Information Discovery – The malware gathers basic information about the infected system; “basic information of the infected system”
  • [T1113] Screen Capture – The malware collects screenshots as part of the data theft; “screenshots”
  • [T1555.003] Credentials In Browser – Stolen browser data including passwords, autofill data, and cookies from Chrome, Edge, and Firefox; “Passwords, credit card numbers, AutoFill forms, bookmarks, and cookies”
  • [T1567.002] Exfiltration to Web Services – Data exfiltrated via Discord WebHooks to attacker; “Using the WebHook API allows the malware to send the data and notification to a specific Discord server”

Indicators of Compromise

  • [File Name] Pluto Valornt cheat.rar – Malicious compressed file name
  • [File Name] Cheat installer.exe – Executable inside the archive
  • [File MD5] 6649fec7c656c6ab0ae0a27daf3ebb8e – MD5 hash of the malware sample
  • [URL] Download page: hxxps://anonfiles[.]com/J0b03cKexf – Malicious download page
  • [URL] Malicious payload: hxxps://cdn-149.anonfiles[.]com/J0b03cKexf/bfb807d9-1646204724/Pluto%20Valornt%20cheat.rar – Payload URL
  • [WebHook] Discord WebHook 1: hxxps://discordapp[.]com/api/webhooks/947181971019292714/gXE5T4ZQQF0yGOhuBSDhTkFXB0ut9ai71IZmOFvsdIaznalhyvQP0h45xCss-8W7KQCo
  • [WebHook] Discord WebHook 2: hxxps://discord[.]com/api/webhooks/940299131098890301/RU4T0D4gNAYM0BZkAMMKQRwGBORfHiJUJ5lJ20Gd-s2yCIX9lXCbyB6yZ6zHUA5B-H42

Read more: https://asec.ahnlab.com/en/32499/