A large-scale malware distribution campaign uses YouTube videos to direct viewers to websites that pretend to offer installers for over 100 games and apps but instead infect them with information stealers.
Using YouTube videos to infect people with malware isn’t a novel technique, but on previous occasions, the threat actors included the download link in the video description.
In this campaign, spotted first by researchers at Cyble, the link on the video description doesn’t lead to downloading the executable but on a site that features a galore of software options.
Three of the malicious videos having over 30,000 views
This tactic has several advantages for the campaign operators, including that:
YouTube is less likely to delete those videos since they don’t link directly to a malicious resource,
there can be multiple videos with varying lures pointing to the same website,
visitors are likely to spot other stuff they’re interested in, ending up installing multiple files and creating redundancy for the attackers.
The software lures used in these sites include expensive productivity tools like Adobe Lightroom 2022, Sony Vegas Pro, and AutoCAD, or games like Saints Row, NBA 2K23, and Marvel’s Spider-Man.
Site dropping Raccoon Stealer instead of the advertised games
In many cases, there are also plugins, cracks, ROBLOX scripts, and hacks/cheats for games promising unlimited in-game money, feature unlocking, etc.
The two info-stealers dropped by this campaign are Vidar Stealer and RecordBreaker Stealer (aka Raccoon stealer v2.0), two malware strains rented to independent operators for a subscription.
Website distributing fake