How YouTube Videos Are Being Used To Spread An Unusual Malware Bundle To Gamers

malicious code
YouTube is being used to distribute a novel bundle of malware but probably not in the way you'd expect. The videos promote cracks and cheats for several popular games, but links in the video description expose viewers to malware downloads. The malware itself propagates these videos by taking over user accounts to upload more copies. It also steals everything that isn't nailed down in the process.

The malware campaign targets fans of games like FIFA, Final Fantasy, Forza Horizon, Lego Star Wars, and Spider-Man. While users think they are downloading hacks for the game, they're actually downloading a ZIP file crawling with malware. It includes, among other things, the RedLine data stealer, which can access passwords, cryptocurrency wallets, and more. There's also a crypto miner that uses the victim's GPU to grind out digital currency. There's little indication of these processes running on the computer because the archive also includes a legitimate Windows utility called NirCmd that hides windows and system tray icons generated by the malware.

The real star of the show is a trio of malicious executables: MakiseKurisu.exe, download.exe, and upload.exe. MakiseKurisu is a password stealer that extracts cookies from the user's browser, specifically, the YouTube login. Next, "download" will pull the bait video and description text from a GitHub repository, and then "upload" will post it to YouTube with the stolen account info. Someone else eventually comes along, downloads the linked archive, and the whole thing starts over again.

Self propagating stealer 01
Yep, nothing suspicious there.

The aggressive propagation mechanism makes it difficult to take down all copies of the video, but this is a surprisingly easy one to avoid—all you need is a little common sense. The video descriptions include installation instructions for the supposed cheats, and one of them is "disable your antivirus." Even casual internet users should know by now that anyone who tells you to disable your antivirus and install a mysterious file is not on the up and up. And yet, the malware is still spreading.

According to Kaspersky SecureList, Google is aware of the campaign and is terminating channels that upload the videos for violating community guidelines. So, trying to download game cracks not only gets all your personal data stolen, but you also lose your YouTube account.

** Editor's Note: We've partnered with Cheat Happens for a fantastic giveaway promotion of five GeForce RTX 3080 video cards. Cheat Happens creates legitimate cheats and trainers for single-player games only. It's been in business for over two decades and has a strict no-multiplayer policy. Even for gray area games like Elden Ring, Cheat Happens only supports offline usage.