Threat actors have conducted a campaign relying on the RedLine stealer and targeting YouTube users.
The news comes from cybersecurity researchers at Kaspersky, who published an advisory about the campaign earlier today.
“Discovered in March 2020, RedLine is currently one of the most common Trojans used to steal passwords and credentials from browsers, FTP clients and desktop messengers,” wrote Oleg Kupreev in the technical write–up.
“It is openly available on underground hacker forums for just a few hundred dollars, a relatively small price tag for malware."
According to the security expert, RedLine can steal usernames, passwords, cookies, bank card details and autofill data from Chromium– and Gecko–based browsers. It is also capable of obtaining data from crypto wallets, instant messengers and FTP/SSH/VPN clients and files with particular extensions from devices.
The malware can reportedly download and run third–party software tools, execute commands in cmd.exe and open links via the default browser.
“The stealer spreads in various ways, including through malicious spam e–mails and third–party loaders,” Kupreev explained.
Further, in addition to the payload itself, Kaspersky noticed that the discovered bundle had self–propagation functionalities.
“Several files are responsible for this, which receive videos and post them to the infected users’ YouTube channels along with the links to a password–protected archive with the bundle in the description,” the advisory reads.
“The videos advertise cheats and cracks and provide instructions on hacking popular games and software.”
From a technical standpoint, the bundle is a self–extracting RAR archive containing several malicious files, clean utilities and a script programmed to automatically run the unpacked contents.
Kaspersky said that the self–spreading bundle with RedLine is a prime example of stealer–type malware being distributed under the guise of game hacks.
“Cyber–criminals lure victims with ads for cracks and cheats, as well as instructions on how to hack games,” Kupreev said.
“At the same time, the self–propagation functionality is implemented using relatively unsophisticated software, such as a customized open–source stealer. All this is further proof if any were needed, that illegal software should be treated with extreme caution."
The Kaspersky advisory comes days after a report by cybersecurity firm Akamai suggested cyber–attacks in the gaming sector have increased by 167% in the last year.
As for the RedLine stealer, the tool was also spotted in a ModernLoader campaign uncovered by Cisco Talos last month.