Security researchers in Korea have discovered a malware distribution operation on YouTube that leverages Valorant cheat lures to fool gamers into installing RedLine, a strong information stealer. This type of abuse is quite widespread because threat actors find it simple to get over YouTube’s new content submission evaluations or establish new accounts after being reported and prohibited.
The campaign, which ASEC discovered, is aimed at the Valorant gaming community, a free first-person shooter for Windows that includes a link to download an auto-aiming bot in the video description. These exploits are reportedly game add-ons that allow players to aim at targets quickly and precisely, allowing them to earn headshots without exhibiting any talent. Auto-aiming bots are in great demand for popular multiplayer games like Valorant because they enable easy ranking improvement.
Users who try to download the file mentioned in the video’s description will be sent to an anonfiles page, where they will be given a RAR package containing the executable “Cheat installer.exe.” In reality, this program is a duplicate of RedLine Stealer, one of the most extensively used password-stealing malware infections that steals the following information from afflicted systems:
- Basic Information: Computer name, user name, IP address, Windows version, system information (CPU, GPU, RAM, etc.), and list of processes
- Web Browsers: Passwords, credit card numbers, AutoFill forms, bookmarks, and cookies, from Chrome, Chrome-based browsers, and Firefox
- VPN Clients: ProtonVPN, OpenVPN, and NordVPN
- Cryptocurrency Wallets: Armory, AtomicWallet, BitcoinCore, Bytecoin, DashCore, Electrum, Ethereum, LitecoinCore, Monero, Exodus, Zcash, and Jaxx
- Others: FileZilla (host address, port number, user name, and passwords), Minecraft (account credentials, level, ranking), Steam (client session), Discord (token information)
After obtaining this data, RedLine elegantly packages it in a ZIP archive called “().zip” and sends it to a Discord server using a WebHook API POST request.
Apart from the fact that cheating in video games detracts from the game’s enjoyment and destroys it for others, it is always a security risk. None of these cheat tools are created by reputable companies, none of them are digitally signed (so antivirus warnings are likely to be ignored), and many are malware.
A current example is included in ASEC’s report, but it’s only one of many malicious download URLs hidden behind YouTube movies that offer free software of various sorts. The videos that advertise these products are frequently taken from other sources and re-posted as lures by malevolent individuals on newly formed channels. Even though the comments underneath these videos commend the uploader and say that the program works as advertised, these remarks should not be trusted because they are readily manufactured.