Kaspersky researchers have identified a new malware bundle that uses victim’s YouTube channels to upload malicious tutorials to spread the malicious package.
After intensive investigation, the researchers found a RAR archive containing a collection of malware, in particular RedLine, a popular information stealer. A miner is also included in the RAR archive and uses the victim’s graphic card, as they are basically watching gaming videos on YouTube. The graphic cards are used by the attackers to mine cryptocurrency.
In addition, the self-propagating malware bundle includes a legitimate Nirsoft NirCmd utility called “nir.exe,” that hides all executables at startup, and does not create windows in the user interface or any icons in the taskbar, ensuring that everything is hidden from the victim.
The researchers also discovered three malicious executables in the RAR archive that perform the bundle’s self-propagation. The three malicious executables are “MakiseKurisu.exe,” “download.exe,” and “upload.exe.”
MakiseKurisu is a modified version of a widely used C# password stealer that is used solely to extract cookies from browsers and store them locally. The second executable file, “download.exe,” is used to download a video from YouTube that is a copy of the videos promoting the malicious bundle. “upload.exe” is used to upload the malware-promoting videos to YouTube, using the stolen cookies to log on to the victim’s YouTube account and spread the bundle through their channel.
The sources for this piece include an article in BleepingComputer.