Security researchers have discovered a new malware attack that’s designed to hijack a Windows PC and spread the attack on a victim’s YouTube account through malicious links.
The attack deploys via malicious file bundles promoted on YouTube videos, according(Opens in a new window) to the antivirus provider Kaspersky. The videos claim to offer ways to hack and cheat at several popular games such as DayZ, Forza Horizon 5, and Dying Light 2, among others.
To gain access to the cheats, the videos entice the user to download a file bundle—usually hosted via the telegra.ph domain or on mediafire.com—which can be found in the video’s description. But in reality, victims are downloading a self-extracting RAR archive, which includes a password-stealing program called Redline.
(Credit: Kaspersky)
“The stealer can plunder usernames, passwords, cookies, bank card details and autofill data from Chromium- and Gecko-based browsers,” Kaspersky researchers warned. In addition, Redline can enable the hackers to hijack a PC to install other programs and execute commands on a browser.
But perhaps the attack’s most interesting ability is how it can self-propagate. Kaspersky noted that several files in the malicious package are also designed to re-post videos on the victim’s YouTube account to spread the attack again.
(Credit: YouTube)
According(Opens in a new window) to Kaspersky, a program in the malicious bundle called MakiseKurisu.exe is designed to extract internet cookies from the victim’s browser to gain access to the victim’s YouTube account. A pair of other programs will then fetch and re-post videos to the victim’s YouTube account in an effort to spread the attack to more users.
Recommended by Our Editors
The technique underscores how hackers can exploit supposed game cheats to trick unsuspecting users into downloading malware. “Gamers are one of the most popular groups targeted by cybercriminals,” Kaspersky researcher Oleg Kupreev says in the report. “Our advice would be to carefully pick the sources to quench your gaming thirst and do not download any suspicious archives from unreliable accounts.”
The attack continues to circulate on several YouTube videos, so watch out for links using telegra.ph or mediafire.com domains.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Be the first to comment