A brand new RedLine malware distribution marketing campaign promotes faux Binance NFT thriller field bots on YouTube to lure individuals into infecting themselves with the information-stealing malware from GitHub repositories.
Binance thriller bins are units of random non-fungible token (NFT) gadgets that individuals purchase, hoping they will obtain a singular or uncommon merchandise at a discount value. A few of the NFTs present in these bins can be utilized so as to add uncommon cosmetics or personas inside on-line blockchain video games.
Thriller bins are fashionable within the NFT market as a result of they offer individuals the enjoyment of the unknown and the potential for a giant payday in the event that they land a uncommon NFT. Nonetheless, marketplaces like Binance supply them in restricted numbers, making some bins laborious to get earlier than they run out of inventory.
Because of this consumers usually deploy “bots” to amass them, and it is exactly this scorching development that the risk actors try to benefit from.
YouTube and GitHub abuse
Based on a brand new report by Netskope, risk actors are creating YouTube movies to entice potential victims into downloading and putting in the malware on their pc, considering they’re getting a free thriller field scalper bot.
BleepingComputer confirmed that the movies listed within the indicators of compromise are nonetheless accessible on YouTube, albeit having a low variety of views.
There probably are many greater than these noticed by Netskope, and it is also attainable that earlier rip-off movies with the next variety of views had been reported and brought down by YouTube moderators.
The risk actors uploaded the movies between March and April 2022, they usually all function a hyperlink to a GitHub repository that supposedly hosts the bot however, in actuality, distributes RedLine.
The title of the dropped file is “BinanceNFT.bot_v1.3.zip”, containing a similarly-named executable, which is the payload, a Visible C++ installer, and a README.txt file.
RedLine requires the VC redistributable installer to run because the program is developed in .NET, whereas the textual content file incorporates the set up directions for the sufferer.
On this marketing campaign, RedLine was configured to exit if the malware detected the nation on the host pc to be Russia, Ukraine, Belarus, Armenia, Azerbaijan, Kazakhstan, Moldova, Uzbekistan, Tajikistan, or Kyrgystan.
Along with the RedLine marketing campaign seen by Netskope, BleepingComputer seen newer YouTube campaigns selling a free ‘Binance NFT Bot.’
Nonetheless, these campaigns are utilizing rebrand.ly URLs that redirect to downloads hosted on MediaFire. Based on VirusTotal, this marketing campaign can be distributing password-stealing trojans.
RedLine risk continues
RedLine is a very talked-about and potent risk within the information-stealing malware house, being distributed by a number of risk actors and in all kinds of the way.
It is at the moment bought to unbiased operators beneath a subscription mannequin for $100 per 30 days and helps the stealing of login passwords and cookies from net browsers, knowledge from chat apps, VPN credentials, and cryptocurrency wallets.
In cryptocurrency-themed campaigns, resembling this one, the victims usually possess digital belongings and cryptocurrency, making the monetary harm much more important.
One factor to all the time bear in mind is that the legitimacy of platforms like YouTube and GitHub doesn’t robotically equate to content material trustworthiness, because the add checks and the moderation procedures on these websites are missing.
Clicking on hyperlinks offered beneath or on movies uploaded by small and obscure YouTube channels, downloading executable recordsdata, and working them in your system isn’t a good suggestion.