Threat actors deliver malware via YouTube video game cracks: Proofpoint research

PHOTO

The activity likely targets consumer users who do not have the benefits of enterprise-grade security on their home computers.

Dubai, United Arab Emirates: Threat actors often target home users because they do not have the same resources or knowledge to defend themselves from attackers compared to enterprises. While the financial gain might not be as large as attacks perpetrated on corporations, the individual victims likely still have data like credit cards, cryptocurrency wallets, and other personal identifiable information (PII) stored on their computers which can be lucrative to criminals.

Proofpoint Emerging Threats has observed information stealer malware, including Vidar, StealC, and Lumma Stealer, being delivered via YouTube in the guise of pirated software and video game cracks. The videos purport to show an end user how to do things like download software or upgrade video games for free, but the link in the video descriptions leads to malware. Many of the accounts that are hosting malicious videos appear to be compromised or otherwise acquired from legitimate users, but researchers have also observed likely actor-created and controlled accounts that are active for only a few hours, created exclusively to deliver malware. Third-party researchers have previously published details on fake cracked software videos used to deliver malware.

Figure 1 - Example of a verified YouTube account with a large following, suspected to be compromised

The distribution method is particularly notable due to the type of video games the threat actors appear to promote. Many of them appear to be targeted at younger users, including games popular with children, a group that is less likely to be able to identify malicious content and risky online behaviors.

Proofpoint Emerging Threats reported over two dozen accounts and videos distributing malware to YouTube, which removed the content.

Example Account

Suspected compromised accounts (or potentially sold to a new “content creator”) are used to deliver malware. Indicators of a suspected compromised or otherwise acquired account include significant gaps of time between the videos posted, content that vastly differs from previously published videos, differences in languages, and descriptions of the videos containing likely malicious links, among other indicators.

Figure 2 - Video description containing a MediaFire URL leading to Vidar Stealer

One of the accounts has around 113,000 subscribers, and it displays a grey check mark that indicates the account owner has met verified channel requirements, including verifying their identity.

When Proofpoint researchers identified the account, the majority of the account’s videos had been posted one year or more previously, and all had titles written in Thai. However, when the account was identified, twelve (12) new English language videos had been posted within a 24-hour period, all related to popular video games and software cracks. All of the new video descriptions included links to malicious content. Some of the videos had over 1,000 views, possibly artificially increased by bots to make the videos seem more legitimate.

Figure 3 - Comments on the video purporting to confirm the legitimacy of the URL. png

Empress Impersonation

Proofpoint identified multiple videos purporting to distribute Empress video game cracks. Empress is a well-known entity in the software piracy community. In one example, a user purported to distribute cracked “League of Legends” content on the video-sharing platform. The video description contained a Telegram URL that led to a post containing instructions on how to download the content and a MediaFire URL leading to a RAR archive containing an executable. The file was named “empress.exe” to appear to come from the popular software piracy resource and appear to be “legitimate.”

Figure 4 - Screenshot of a video description that includes instructions to disable antivirus

Discord Server Distribution

Another payload distribution method via YouTube video descriptions that differs from MediaFire URLs is Discord URLs. Proofpoint observed threat actors creating and managing a Discord server that has different malware for each game. The Discord link in the video description will direct users to a Discord channel that hosts the files available for download and includes instructions on how to download and install them.

Proofpoint observed multiple distinct activity clusters distributing information stealers via YouTube and does not attribute the activity to a tracked threat actor or group. The techniques used are similar, however, including the use of video descriptions to host URLs leading to malicious payloads and providing instructions on disabling antivirus, and using similar file sizes with bloating to attempt to bypass detections. Based on the similarities of the video content, payload delivery, and deception methods, Proofpoint assesses that the actors are consistently targeting non-enterprise users.

Figure 5 - YouTube description advertising empress.exe

Proofpoint does not currently have visibility on how the identified YouTube accounts may have been compromised and YouTube has been quick to remove accounts reported by the Proofpoint Research team.

End users should be aware of the techniques used by threat actors to entice users into engaging with video game content purported to help them cheat or bypass paid functionality.

Media Contact:
Sara Seggari
sara.seggari@bpggroup.com

Threat actors deliver malware via YouTube video game cracks: Proofpoint research

DISCOVER MORE

State of Security 2024 report reveals growing impact of Generative AI on cybersecurity landscape

Small business, big risks: prioritizing password protection

Ransomware payments increase 500% in the last year, finds Sophos State of Ransomware Report

Global report finds organizations overlook huge blind spots in their AI overconfidence

J.P. Morgan Private Bank releases inaugural report on global family offices

Dubai's residential real estate market witnesses record-breaking growth in Q1 2024

Autodesk report reveals evolving AI trends, with 52 percent of Middle East companies to prioritize AI capabilities when hiring

Management ‘bought the AI hype’ and expect value but research shows lack of organizational readiness is primary hurdle

Albal Design launches UAE's first science based interior design concept

Aldar launches Athlon: Dubai’s first ‘active living’ community

Sanabil’s Venture Studio celebrates one year anniversary with launch of 4 startups

Spinneys 1961 Holding plc successfully completes IPO bookbuild

Reem Hospital showcases cutting-edge Orthopedic insights at "Advancements in Orthopedic Care" International Medical Symposium

UK police lead global operation against phishing website platform

Financial sector lost $12bln in 20 years due to cyberattacks: IMF

Cybercrime cases continue to rise, up 21.84% in Q1 in Philippines

UAE residents urged to stay vigilant amid cyber threats; tips to spot phishing emails

Russian official says election video surveillance systems in Siberia hit by cyberattack - TASS

LATEST VIDEO

VIDEO: UAE’s Apparel Group founder Sima Ved talks growth, IPO plans

ZAWYA COVERAGE

Dubai aircraft lessor DAE’s Q1 2024 profit dips to $67.8mln

UAE Central Bank holds rates steady following US Fed move

Saudi petrochemical group SABIC's Q1 2024 profit falls 62% to $67mln

Dubai’s Spinneys says IPO orders exceed $19bln

Asia stocks rise as Fed tamps down hike fears; yen leaps

Nvidia supplier SK Hynix says HBM chips almost sold out for 2025

US accuses Russia of using 'chemical weapon' in Ukraine

Trump blasts Biden in rare day on campaign trail

As student protests shake US campuses, Biden mum

THE BRI REPORT

China’s flagship global infrastructure initiative is changing in the face of potent headwinds