Two sentences summarizing: A self-spreading malware bundle centers on the RedLine stealer, using cheats/cracks ads and YouTube video posts to propagate while stealing browser credentials and other data. The campaign combines loaders, startup persistence, and GitHub/Telegra.ph links with IoCs like MD5 hashes and a C2 server to enable distribution and exfiltration. #RedLine #SelfPropagatingStealer #YouTube #GitHub #Discord
Keypoints
- The main payload is the RedLine stealer, a widely used Trojan that extracts passwords, cookies, and other sensitive data from browsers, wallets, messengers, and more.
- The bundle spreads via malicious spam emails and third-party loaders, delivering a self-propagating, self-extracting archive.
- Self-propagation is enabled by multiple files that post cheat/video content to infected users’ YouTube channels with links to a password-protected archive.
- Startup persistence is achieved by copying a launcher to the Start Menu Startup folder, ensuring automatic execution on boot.
- The bundle includes MakiseKurisu.exe (cookie/password stealer), download.exe (loader that fetches videos from GitHub and a 7‑Zip archive), and upload.exe (uploads videos to YouTube and notifies Discord).
- IoCs include MD5 hashes, Telegra.ph links to the original bundles, GitHub links, and a RedLine C2 server (45.150.108.67:80).
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Attachment – The stealer spreads via “malicious spam e-mails” and loaders. ‘The stealer spreads in various ways, including through malicious spam e-mails and third-party loaders.’
- [T1105] Ingress Tool Transfer – It can “download and run third-party programs” as part of its payload and loaders. ‘The stealer can download and run third-party programs, execute commands in cmd.exe and open links in the default browser.’
- [T1547.001] Boot or Logon Autostart Execution – Startup persistence by copying itself to the Startup folder: ‘%APPDATA%MicrosoftWindowsStart MenuProgramsStartup’. ‘The third executable file copies itself to the %APPDATA%MicrosoftWindowsStart MenuProgramsStartup directory, which ensures automatic startup.’
- [T1059.003] Command and Scripting Interpreter: Windows Command Shell – The bundle executes commands via cmd.exe through its batch/file chain. ‘The batch files, in turn, run three other malicious files… The nir.exe utility, which lets malicious executable files run without displaying any windows or taskbar icons.’
- [T1497] Virtualization/Sandbox Evasion – MakiseKurisu.exe checks for debugger/virtual environment; anti-analysis features. ‘The source code… contains many standard stealer features… The only working function… is extracting cookies…’
- [T1555.003] Credentials in Web Browsers – MakiseKurisu.exe extracts cookies from browsers, enabling YouTube access. ‘extracting cookies from browsers and storing them in a separate file without sending the stolen data anywhere.’
- [T1567.002] Exfiltration to Web Services – Uploads video to YouTube and signals via Discord. ‘uploads the video previously downloaded using download.exe, to YouTube’ and ‘When the video is successfully uploaded to YouTube, upload.exe sends a message to Discord with a link to the uploaded video.’
Indicators of Compromise
- [MD5] Hashes – 32dd96906f3e0655768ea09d11ea6150, 1d59f656530b2d362f5d540122fb2d03, and 9 more hashes
- [URL] Archive links to original bundle – hxxps://telegra[.]ph/2022-July-07-27, hxxps://telegra[.]ph/DayZ-Eazy-Menu-06-24, and 6 more items
- [URL] GitHub links – hxxps://github[.]com/AbdulYaDada/fdgkjhfdguoerldifgj, hxxps://raw.githubusercontent[.]com/AbdulYaDada/fdgkjhfdguoerldifgj/
- [IP] RedLine C2 – 45.150.108[.]67:80
Read more: https://securelist.com/self-spreading-stealer-attacks-gamers-via-youtube/107407/