Bogus Valorant Cheats on YouTube Infect Users with RedLine Stealer Malware

Security researchers in South Korea have discovered a malware distribution operation on YouTube that uses Valorant cheat baits to fool gamers into downloading RedLine, malicious software that can steal information and infect operating systems with malware.

It seems that it’s easy for cybercriminals to get around YouTube’s new content submission reviews or create new accounts when reported and blocked, hence this sort of abuse is quite prevalent.

The campaign, discovered by South Korean security software provider AhnLab, is aimed at the gaming community of Valorant, a free-to-play first-person hero shooter developed and published by Riot Games for Microsoft Windows.

According to BleepingComputerthe operation provides a link to download an auto-aiming bot on the description of the video.

Video promoting fake auto-aiming bot (ASEC)

Source

How Does It Work?

These cheat lures are supposedly game add-ons that allow players to aim at adversaries quickly and precisely, enabling them to win headshots without showing any expertise.

As explained by BleepingComputer, for popular multiplayer games such as Valorant, auto-aiming bots are in high demand as they allow for easy ranking progression.

How Is the Redline Info Stealer Dropped?

Players who try to download the file in the video’s description will be directed to an anonfiles website, where they will be given a RAR archive containing the “Cheat installer.exe” executable.

This file is actually a copy of RedLine stealer, one of the most commonly used password-stealing malware infections, and according to BleepingComputer, grabs information from compromised systems, including:

  • Basic information: Computer name, user name, IP address, Windows version, system information (CPU, GPU, RAM, etc.), and list of processes
  • Web browsers: Passwords, credit card numbers, AutoFill forms, bookmarks, and cookies, from Chrome, Chrome-based browsers, and Firefox
  • Cryptocurrency wallets: Armory, AtomicWallet, BitcoinCore, Bytecoin, DashCore, Electrum, Ethereum, LitecoinCore, Monero, Exodus, Zcash, and Jaxx
  • VPN clients: ProtonVPN, OpenVPN, and NordVPN
  • Others: FileZilla (host address, port number, user name, and passwords), Minecraft (account credentials, level, ranking), Steam (client session), Discord (token information)

After gathering this data, RedLine cleverly bundles it into a ZIP archive called “() .zip” and exfiltrates the files via a WebHook API POST request to a Discord server.

Links in YouTube Videos Are Dangerous

Aside from the fact that using various tools to create an advantage beyond normal gameplay is unfun and ruins the game for others, it is almost always a potentially severe security threat.

None of these cheat methods are created by reputable companies, none of them are digitally signed (so antivirus warnings are likely to be ignored), and many of them are malware. The videos that advertise these tools are frequently stolen from other sources and re-posted on new channels by malicious users as lures.

Even if the uploader is praised in the comments section and the tool is said to work as advertised, remember to not rely on them as these types of comments can be easily faked.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtubeand Instagram for more cybersecurity news and topics.

Source

Security researchers in South Korea have discovered a malware distribution operation on YouTube that uses Valorant cheat baits to fool gamers into downloading RedLine, malicious software that can steal information and infect operating systems with malware.

It seems that it’s easy for cybercriminals to get around YouTube’s new content submission reviews or create new accounts when reported and blocked, hence this sort of abuse is quite prevalent.

The campaign, discovered by South Korean security software provider AhnLab, is aimed at the gaming community of Valorant, a free-to-play first-person hero shooter developed and published by Riot Games for Microsoft Windows.

According to BleepingComputerthe operation provides a link to download an auto-aiming bot on the description of the video.

Video promoting fake auto-aiming bot (ASEC)

Source

How Does It Work?

These cheat lures are supposedly game add-ons that allow players to aim at adversaries quickly and precisely, enabling them to win headshots without showing any expertise.

As explained by BleepingComputer, for popular multiplayer games such as Valorant, auto-aiming bots are in high demand as they allow for easy ranking progression.

How Is the Redline Info Stealer Dropped?

Players who try to download the file in the video’s description will be directed to an anonfiles website, where they will be given a RAR archive containing the “Cheat installer.exe” executable.

This file is actually a copy of RedLine stealer, one of the most commonly used password-stealing malware infections, and according to BleepingComputer, grabs information from compromised systems, including:

  • Basic information: Computer name, user name, IP address, Windows version, system information (CPU, GPU, RAM, etc.), and list of processes
  • Web browsers: Passwords, credit card numbers, AutoFill forms, bookmarks, and cookies, from Chrome, Chrome-based browsers, and Firefox
  • Cryptocurrency wallets: Armory, AtomicWallet, BitcoinCore, Bytecoin, DashCore, Electrum, Ethereum, LitecoinCore, Monero, Exodus, Zcash, and Jaxx
  • VPN clients: ProtonVPN, OpenVPN, and NordVPN
  • Others: FileZilla (host address, port number, user name, and passwords), Minecraft (account credentials, level, ranking), Steam (client session), Discord (token information)

After gathering this data, RedLine cleverly bundles it into a ZIP archive called “() .zip” and exfiltrates the files via a WebHook API POST request to a Discord server.

Links in YouTube Videos Are Dangerous

Aside from the fact that using various tools to create an advantage beyond normal gameplay is unfun and ruins the game for others, it is almost always a potentially severe security threat.

None of these cheat methods are created by reputable companies, none of them are digitally signed (so antivirus warnings are likely to be ignored), and many of them are malware. The videos that advertise these tools are frequently stolen from other sources and re-posted on new channels by malicious users as lures.

Even if the uploader is praised in the comments section and the tool is said to work as advertised, remember to not rely on them as these types of comments can be easily faked.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtubeand Instagram for more cybersecurity news and topics.

Source

More from author

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Related posts

Advertismentspot_img

Latest posts

Apple patches double zero-day in browser and kernel – update now! – Naked Security

Apple just pushed out an emergency update for two zero-day bugs that are apparently actively being exploited. There's a remote code execution hole (RCE) dubbed...

Securing the ever-evolving hybrid work environment

Even as many business leaders debate the boundaries of remote work styles and schedules, there is little doubt that hybrid work will persist for...

Hackers Deploy Bumblebee Loader to Breach Target Networks

Threat actors associated with BazarLoader, TrickBot and IcedID malware are now increasingly deploying the loader known as Bumblebee to breach target networks and subsequently...

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!