Tuesday, December 3, 2024
HomeUncategorizedThreat Actors Deliver Malware via YouTube Video Game Cracks

Threat Actors Deliver Malware via YouTube Video Game Cracks

Published on

SIEM as a Service

Threat actors target home users with information-stealing malware like Vidar, StealC, and Lumma Stealer, which disguises the malware as pirated software and video game cracks in YouTube videos. 

The videos appear to instruct users on obtaining free software or game upgrades. Still, a link in the description leads to malware, where the attackers compromise legitimate accounts or create new ones specifically to distribute the malware. 

An example of a verified YouTube account with a large following, suspected to be compromised. 
An example of a verified YouTube account with a large following, is suspected to be compromised. 

The method is concerning because it targets younger users with games popular among children, who are less likely to recognize malicious content, as over two dozen such accounts and videos have been identified and reported to YouTube for takedown. 

- Advertisement - SIEM as a Service
Document
Stop Advanced Phishing Attack With AI

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Stopping 99% of phishing attacks missed by other email security solutions. .

A verified YouTube channel had found a history of Thai content that abruptly switched to posting English videos with malicious links. 

Screenshot of a suspected compromised YouTube account distributing malware, comparing upload dates. 
Screenshot of a suspected compromised YouTube account distributing malware, comparing upload dates. 

The new videos, likely boosted by bots for legitimacy, offered pirated software and character enhancements for popular video games, whose descriptions contained links to password-protected archives (e.g., “Setup_Pswrd_1234.rar”) that deployed Vidar Stealer malware upon execution. 

Screenshot of a video description that includes instructions to disable antivirus. 
Screenshot of a video description that includes instructions to disable antivirus. 

Fake comments further bolstered the legitimacy of the malicious content, which included instructions to bypass antivirus software, highlighting the social engineering tactics employed by the attackers.  

Proofpoint found videos promoting fake Empress cracks for League of Legends, including instructions to download a RAR archive containing a malicious executable named “empress.exe” from a suspicious URL and used visual instructions to trick users into installing Vidar Stealer malware disguised as a game crack. 

Telegram link from Empress video. 
Telegram link from Empress video. 

Malware details with Command and Control Activity 

Malicious actors are distributing Vidar malware through YouTube videos containing links to password-protected, compressed executables hosted on MediaFire. 

Repeating bytes identified in a hex editor.  
Repeating bytes identified in a hex editor.  

The executables contain padding to bypass antivirus scanners and appear larger than they are, while Vidar retrieves its command and control instructions from social media accounts, including Telegram, Steam Community, and Tumblr. 

Vidar Stealer C2 check-in PCAP.  
Vidar Stealer C2 check-in PCAP.  

Accounts are identifiable by usernames containing alphanumeric characters followed by an IP address, which allows Vidar to blend in with regular network traffic. 

The link leads to a Discord post from the threat actor. 
The link leads to a Discord post from the threat actor. 

A malware distribution campaign targeted gamers as actors compromised YouTube accounts and used video descriptions to distribute Discord server links. 

List of “supported” games. 
List of “supported” games. 

The Discord server offered various game-specific malware disguised as cheats, in which downloaded files like “valoskin.zip” contained Lumma Stealer malware. At the same time, the campaign exemplifies a broader trend of information-stealing distribution via YouTube. 

Similarities in video content, delivery methods, and target audience (non-enterprise users) suggest a single actor or a group of collaborators. 

The provided indicators of compromise (IOCs) suggest a recent Lumma and Vidar malware campaign, where Lumma files (spoofer.exe, bypasser.exe) were disguised as legitimate applications (VALORANT.exe). 

Vidar used social engineering tactics, using a Steam profile and Telegram channel as C2 servers. Both malware families have been active since February 2024, and new samples appeared in March.  

Secure your emails in a heartbeat! To find your ideal email security vendor, Take a Free 30-Second Assessment.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

PEFT-As-An-Attack, Jailbreaking Language Models For Malicious Prompts

Federated Parameter-Efficient Fine-Tuning (FedPEFT) is a technique that combines parameter-efficient fine-tuning (PEFT) with federated...

Hackers Cloning Websites, Exploiting RCE Flaws To Gain Access To Shopping Platforms

Cybercriminals are leveraging AI-powered phishing attacks, website cloning tools, and RCE exploits to target...

Hackers Exploited Windows Event Logs Tool log Manipulation, And Data Exfiltration

wevtutil.exe, a Windows Event Log management tool, can be abused for LOLBAS attacks. By...

Threat Actors Allegedly Claims Breach of EazyDiner Reservation Platform

Reports have emerged of a potential data breach involving EazyDiner, a leading restaurant reservation...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

PostgreSQL Vulnerability Allows Hackers To Execute Arbitrary SQL Functions

A critical vulnerability identified as CVE-2024-7348 has been discovered in PostgreSQL, enabling attackers to...

Security Risk Advisors Announces Launch of VECTR Enterprise Edition

Security Risk Advisors (SRA) announces the launch of VECTR Enterprise Edition, a premium version...

4 Leading Methods of Increasing Business Efficiency 

The more efficient your core business operations, the more motivated and productive your employees...