hot potatoes: Players looking to download cheats and crackers should beware of the links in the descriptions of YouTube videos. Hackers may have compromised channels hosting videos, turning them into vectors to spread malware that can steal login credentials.
New report from Kaspersky Describe A malware campaign targeting gamers via YouTube. Malware can steal different types of credentials from the victim’s system, and then use them to trick more users. In March 2020, Kaspersky discovered a Trojan that collects multiple malware that hackers use to spread via spam emails or third-party downloaders.
Once activated, the payload also known as RedLine can steal data from Chrome, Firefox and Chromium browsers, including autofill information, usernames, passwords, cookies, and banking credentials. It can also steal information from crypto wallets, instant messengers, FTP, SSH, and VPN clients. Furthermore, malware can open links in the system default browser to download and open programs.
From there, malware can spread using a more detailed scheme. It downloads videos to the victim’s device to advertise cheats and cracks for many popular PC games, and then uploads them to the victim’s YouTube channel. The descriptions of the uploaded videos contain links that purport to lead to the advertised hacks, but instead lead to a Trojan that uploaded the videos.
The videos refer to games including Final Fantasy XIV, Forza, Lego Star Wars, Rust, Spider-Man, Stray, VRChat, DayZ, F1 22, Farming Simulator and more.
YouTube has already shut down the hacked channels, but users should watch out for suspicious links on the site in case this method of posting becomes more popular in the future.
The payload also contains encryption mining software. Gamers are more likely to have powerful GPUs installed that can mine cryptocurrencies. Fortunately, after this year’s encryption Collide and Ethereum’sto mergeIt is unlikely that hackers will continue to look for my graphics cards as they become less profitable, so perhaps this becomes a less worrisome security threat.
Users who are looking to actively defend against this malware, or who think they may already be targeted, should know that RedLine trojan contains files named as follows: Makisekurisu.exe, cool.exe, AutoRun.exe, download.exe , and download. exe. Autorun copies itself to the %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup directory, causing it to run every time Windows starts.