YouTube being used to distribute Malwares?

It was recently discovered by the SEC analysis team that an infostealer is being distributed via YouTube, and the threat actor disguised this malware as a game hack for ‘Valorant’ and uploaded the below video with the installation link for this file. After which instructs users to turn off their anti-virus malware program.

When users click the link to install this game hack program for Valorant, the following is displayed;

• Download page URL: hxxps://anonfiles[.]com/J0b03cKexf
• File download URL: hxxps://cdn-149.anonfiles[.]com/J0b03cKexf/bfb807d9-1646204724/Pluto%20Valornt%20cheat.rar

This installed compressed file “Pluto Valornt cheat.rar” contains an executable named “Cheat installer.exe”. Users would not think twice to open the file because the files names and display images are accurate. However, although it appears to be a game hack it is actually an infostealer. When this malware is executed, what it does is collect basic information of the now infected device or system as well as various user data such as credentials, screenshots, account credentials saved to web browsers, VPN client programs, cryptocurrency wallet files, Discord tokens and Telegram session files. Below is a list of targets to be stolen;

1.  Basic information
– Computer name, user name, IP address, Windows version, system information (CPU, GPU, RAM, etc.), and list of processes

2. Web browser
2.1. List of targeted web browsers
– Chrome, Edge, and Firefox
2.2. Stolen information
– Passwords, credit card numbers, AutoFill forms, bookmarks, and cookies

3. Cryptocurrency wallet file
– Armory, AtomicWallet, BitcoinCore, Bytecoin, DashCore, Electrum, Ethereum, LitecoinCore, Monero, Exodus, Zcash, and Jaxx

4. VPN client account credentials
4.1. List of targeted VPN clients
– ProtonVPN, OpenVPN, and NordVPN
4.2. Stolen information
– Account credentials

5. Others
5.1. FileZilla
– Host address, port number, user name, and passwords
5.2. Minecraft VimeWorld
– Account credentials, level, ranking, etc.
5.3. Steam
– Client session information
5.4. Telegram
– Client session information
5.5. Discord
– Token information

The attacker creates a compressed file of the stolen information above and sends it to themselves via Discord WebHooks API. Using WebHook API allows the malware to send the relevant data and notifications to a specific Discord server. Simply saying, the malware attaches the compressed file of the stolen information via the following WebHook URL to request POST, and the attacker can receive the stolen information and notification in the Discord server. The malware uses the following two WebHooks URLs of the attacker.

• WebHook URL : hxxps://discordapp[.]com/api/webhooks/947181971019292714/gXE5T4ZQQF0yGOhuBSDhTkFXB0ut9ai71IZmOFvsdIaznalhyvQP0h45xCss-8W7KQCo

  UserAgent : log

  UserName : log

• WebHook URL : hxxps://discord[.]com/api/webhooks/940299131098890301/RU4T0D4gNAYM0BZkAMMKQRwGBORfHiJUJ5lJ20Gd-s2yCIX9lXCbyB6yZ6zHUA5B-H42

  UserAgent : logloglog91

  UserName : logloglog91

Source: https://asec.ahnlab.com/en/32499/