Password stealer now propagates from a GitHub link that uses NFT content as bait
Researchers have uncovered a new campaign to spread the RedLine Stealer – a low-cost password stealer sold on underground forums – through a series of YouTube videos that take advantage of global interest in NFTs.
The lure is a bot’s offer to allow a user to automatically purchase Binance NFT Mystery Boxes when they become available. The bot is fake, however. Video descriptions on YouTube pages lead victims to unwittingly download RedLine Stealer from a GitHub link, according to Gustavo Palazolo, malware analyst at Netskope Threat Labs.
“RedLine Stealer was previously notorious for abusing YouTube videos to propagate through fake themes, however, we saw in this campaign that the attacker is also abusing GitHub in the attack stream, to host payloads”, said Palazolo. Netskope discovered the campaign in April.
“Although RedLine Stealer is low-cost malware, it offers many features that can cause serious harm to its victims, such as loss of sensitive data,” Palazolo said.
The NFT hook is simple: Binance issues Mystery Boxes in limited quantities, for a relatively low cost, but they may contain digital assets worth more than the purchase price.
The videos are hosted on a YouTube channel under the name “Andrés Jiménez”, which has nearly 400 subscribers.
Four of the videos are still online on YouTube. Google, YouTube’s parent company, did not respond to requests for comment.
All YouTube videos include a link to the same GitHub URL which leads to a file named “BinanceNFT.bot v.1.3.zip”.
When Palazolo unzipped the zip file, he found the zipped RedLine sample (“BinanceNFT.bot v.1.3.exe”) and a Microsoft Visual C++ redistributable installer (“VC_redist.x86.exe”).
“The file ‘README.txt’ contains the instructions to run the fake NFT bot, including installing Microsoft Visual C++. This is probably necessary because RedLine is developed in .NET and it is also unzipped and injected into a executable from this framework,” Palazolo explained.
The malware does not run, Palazolo said, if the infected computer is detected in one of these countries:
Palazolo noted that the GitHub account that owns the repository – “NFTSupp” – started operating in March 2022.
The same repository contains 15 additional zipped files that had five separate RedLine Stealer loaders.
“The five chargers we analyzed are slightly different, but they all unpack and inject RedLine Stealer in the same way, as we described earlier in this analysis. The oldest sample we found was likely compiled on March 11, 2022 and most recent on April 7, 2022,” he said.
“Also, two out of five files are digitally signed, which can bypass some anti-virus engines. The first appears to use a signature from ‘NordVPN SA’”
In a report published two weeks ago, Bitdefender said that earlier this year it noticed a campaign using exploits found in Internet Explorer – specifically CVE-2021-26411 – to deliver the RedLine Stealer.
Hackers deploying the malware launched thousands of attacks against systems in more than 150 countries and territories in April.
RedLine allows attackers to access system information such as usernames, hardware, installed browsers, and antivirus software before exfiltrating passwords, credit cards, crypto wallets, and VPN connections to a remote command and control server.
With RedLine Stealer, hackers have the ability to extract login credentials from web browsers, FTP clients, email apps, instant messaging clients, and VPNs before selling them on underground markets.
Bogdan Botezatu, director of threat research at Bitdefender, told The Record that the company identified more than 10,000 attacks involving the RedLine malware in April alone.
Insikt Group, the cybersecurity research arm of Recorded Future, discovered in October that the vast majority of stolen credentials currently being sold on two dark web underground marketplaces were harvested using the RedLine Stealer malware.
Recorded Future analyst and product manager Dmitry Smilyanets corroborated Bitdefender’s findings and added that the actual number of compromised hosts is much higher.
“Based on the data set for the last six weeks, we can say that Brazil, Indonesia, India and the United States were the main targets,” Smilyanets said.