According to researchers at Kaspersky, YouTube is being used to spread the RedLine stealer. Discovered in March 2020, RedLine is one of the most common Trojans being used to steal credentials, cookies, bank cards, and auto-fill details from Chromium and Gecko based browsers. It can also steal crypto wallets, instant messenger and FTP/SSH/VPN clients, and files with certain extensions from devices. RedLine can also run third-party software tools, execute commands in cmd.exe, and open links via the browser. It is openly available for purchase for just a few hundred dollars on underground forums. The stealer is spread in various ways including through spam emails and third-party loaders. Furthermore, the bundle has self-propagation abilities. “Several files are responsible for this, which receive videos and post them to the infected users’ YouTube channels along with the links to a password–protected archive with the bundle in the description,” the advisory reads. “The videos advertise cheats and cracks and provide instructions on hacking popular games and software.” From a technical standpoint, the bundle is a self–extracting RAR archive containing several malicious files, clean utilities, and a script programmed to automatically run the unpacked contents.
According to Kaspersky this is a prime example of how the use of a game cheat lures victims into being infected. The best way to avoid attacks like these is to use caution when accessing free software, especially from untrusted sources.