Proofpoint vs. Abnormal

Threat Actors Deliver Malware via YouTube Video Game Cracks 

Share with your network!

Key takeaways 

  • Proofpoint identified multiple YouTube channels distributing malware by promoting cracked and pirated video games and related content. 
  • The video descriptions include links leading to the download of information stealers. 
  • The activity likely targets consumer users who do not have the benefits of enterprise-grade security on their home computers. 

Overview 

Threat actors often target home users because they do not have the same resources or knowledge to defend themselves from attackers compared to enterprises. While the financial gain might not be as large as attacks perpetrated on corporations, the individual victims likely still have data like credit cards, cryptocurrency wallets, and other personal identifiable information (PII) stored on their computers which can be lucrative to criminals. 

Proofpoint Emerging Threats has observed information stealer malware including Vidar, StealC, and Lumma Stealer being delivered via YouTube in the guise of pirated software and video game cracks. The videos purport to show an end user how to do things like download software or upgrade video games for free, but the link in the video descriptions leads to malware. Many of the accounts that are hosting malicious videos appear to be compromised or otherwise acquired from legitimate users, but researchers have also observed likely actor-created and controlled accounts that are active for only a few hours, created exclusively to deliver malware. Third-party researchers have previously published details on fake cracked software videos used to deliver malware. 

The distribution method is particularly notable due to the type of video games the threat actors appear to promote. Many of them appear to be targeted to younger users including games popular with children, a group that is less likely to be able to identify malicious content and risky online behaviors.  

During our investigation, Proofpoint Emerging Threats reported over two dozen accounts and videos distributing malware to YouTube, which removed the content.  

Example account 

The following is an example of a suspected compromised account (or potentially sold to a new “content creator”) used to deliver malware. Indicators of a suspected compromised or otherwise acquired account include significant gaps of time between the videos posted, content that vastly differs from previously published videos, differences in languages, and descriptions of the videos containing likely malicious links, among other indicators. 

The account has around 113,000 subscribers, and the account displays a grey check mark which indicates the account owner has met verified channel requirements including verifying their identity.  

Figure 1

Example of a verified YouTube account with a large following, suspected to be compromised. 

When Proofpoint researchers identified the account, the majority of the account’s videos had been posted one year or more previously, and all had titles written in Thai. However, when the account was identified, twelve (12) new English language videos had been posted within a 24-hour period, all related to popular video games and software cracks. All of the new video descriptions included links to malicious content. Some of the videos had over 1,000 views, possibly artificially increased by bots to make the videos seem more legitimate. 

Figure 2

Screenshot of a suspected compromised YouTube account distributing malware comparing upload dates. 

In one example, a video purported to contain a character enhancement for a popular video game with a MediaFire link in the description. The MediaFire URL led to a password-protected file (Setup_Pswrd_1234.rar) containing an executable (Setup.exe) that, if executed, downloaded and installed Vidar Stealer malware.  

The video was uploaded to the suspected compromised account seven (7) hours prior to our investigation. Around the same time the video was posted, several comments purported to attest to the legitimacy of the software crack. It is likely those accounts and comments were created by the video uploader or their collaborators to lend authenticity to the malicious link.  

Figure 3

Video description containing a MediaFire URL leading to Vidar Stealer. 

Figure 4

Comments on the video purporting to confirm the legitimacy of the URL.  

In another example from a video uploaded to a different account, the video description was more verbose. The description contained a malicious MediaFire URL also leading to Vidar Stealer, as well as some additional tips. This is a common example that includes instructions on how to disable Windows Defender or other antivirus products. The video creator promises that the “files are completely clean” which does instill a lot of trust (sarcasm)! 

Figure 5

Screenshot of a video description that includes instructions to disable antivirus. 

Empress impersonation 

Proofpoint identified multiple videos purporting to distribute Empress video game cracks. Empress is an entity who is well known in the software piracy community. In one example, a user purported to distribute cracked “League of Legends” content on the video sharing platform. The video description contained a Telegram URL that led to a post containing instructions on how to download the content, and a MediaFire URL leading to a RAR archive containing an executable. The file was named “empress.exe” to appear to come from the popular software piracy resource and appear to be “legitimate”.  

Figure 6

YouTube description advertising empress.exe. 

Figure 7

Telegram link from Empress video. 

The identified videos using the “Empress” themes contained visual instructions on how to download and install the filewhich was actually Vidar Stealer malware to make it easy for the victim to follow along. 

Malware details and C2 activity 

In all observed cases of malware distribution via YouTube videos containing MediaFire URLs to password-protected compressed executables, the .rar file was small, but the compressed payload always expanded to around 800 MB. This can indicate there is a significant amount of padding in the executable. This is a common antivirus/sandbox evasion technique as many tools will not scan large files. 

Opening the file in a hex editor confirms this assessment, as you can see a significant amount of repeating hex bytes throughout a good portion of the payload. 

Figure 8

Repeating bytes identified in a hex editor.  

Sandbox detonation reveals that the payload is Vidar. Vidar uses social media and community forums to receive command and control (C2) instructions including Telegram, Steam Community, and Tumblr. In all cases, the C2 account is created with a username or account description containing a set of alphanumeric characters followed by an IP address ending with a vertical pipe.  

In the example of the previously identified “empress.exe” file, the Steam and Telegram C2 samples both have different C2 IP destinations but have the same leading identifier “got4a”. 

Figure 9

Steam C2 profile. 

Figure 10

Telegram C2 profile. 

After the C2 IP address is retrieved, we observed standard Vidar/StealC C2 activity within three seconds. 

Figure 11

Vidar Stealer C2 check-in PCAP.  

Using social platforms for C2 can enable malware to hide in network traffic, as connections to these websites may not immediately appear suspicious.  

Discord server distribution 

Another payload distribution method via YouTube video descriptions that differs from MediaFire URLs is Discord URLs. Proofpoint observed threat actors creating and managing a Discord server that has different malware for each game. The Discord link in the video description will direct users to a Discord channel that hosts the files available for download and includes instructions on how to download and install them.  

Figure 12

YouTube Video description containing a Discord link. 

Figure 13

The link leads to a Discord post from the threat actor.  

Another post on the Discord server instructs users to disable antivirus in order to download the game cheat. 

Figure 14

Instructions on how to download a game cheat including disabling antivirus.  

There are multiple files available to download on the Discord server, and they are associated with different video games. The above post leads to “valoskin.zip” a compressed executable that leads to malware. Ultimately, the payloads on this server delivered Lumma Stealer. Here is a screenshot of some of the C2 traffic from the executables. 

Figure 15

Lumma C2 traffic – detected by Emerging Threats SID 2049836. 

Notably, the Discord server administrator appears to update the payloads every few weeks. 

Figure 15

Posts from the Discord server administrator posting when new “cheats” are released.  

Figure 17

List of “supported” games. 

Conclusion 

Proofpoint observed multiple distinct activity clusters distributing information stealers via YouTube, and does not attribute the activity to a tracked threat actor or group. The techniques used are similar, however, including the use of video descriptions to host URLs leading to malicious payloads and providing instructions on disabling antivirus, and using similar file sizes with bloating to attempt to bypass detections. Based on the similarities of the video content, payload delivery, and deception methods, Proofpoint assesses that the actors are consistently targeting non-enterprise users. 

Proofpoint does not currently have visibility on how the identified YouTube accounts may have been compromised and YouTube has been quick to remove accounts reported by the Proofpoint Research team. 

End users should be aware of the techniques used by threat actors to entice users into engaging with video game content purported to help them cheat or bypass paid functionality.  

Indicators of compromise

Indicator 

Description 

Family 

First Seen 

dd0f7e40960943820da54ef28e1ffafb 

spoofer.exe 

Lumma 

2024/03/04 

2c1e42d5e1eaf851b3b1ce14f6646a94 

Ring-1.exe 

Lumma 

2024/03/08 

e1f4c125e7ec9e784198518ade924a40 

bypasser.exe 

Lumma 

2024/02/26 

679dff0691158b5367ef511a57e7a1fc 

VALORANT.exe 

Lumma 

2024/02/26 

477a4bbb17eb966c637f1fbdb5219fbf 

setup.exe 

Vidar 

2024/02/16 

82574182bfe062e72bb750ee1e641e08 

Setup_Pswd_1234.rar 

Vidar 

2024/02/16 

associationokeo[.]shop 

C2 Domain 

Lumma 

2024/02/20 

detectordiscusser[.]shop 

C2 Domain 

Lumma 

2024/02/21 

edurestunningcrackyow[.]fun 

C2 Domain 

Lumma 

2024/03/05 

lighterepisodeheighte[.]fun 

C2 Domain 

Lumma 

2024/03/05 

pooreveningfuseor[.]pw 

C2 Domain 

Lumma 

2024/02/20 

problemregardybuiwo[.]fun 

C2 Domain 

Lumma 

2024/02/20 

sideindexfollowragelrew[.]pw 

C2 Domain 

Lumma 

2024/01/10 

technologyenterdo[.]shop 

C2 Domain 

Lumma 

2024/02/21 

turkeyunlikelyofw[.]shop 

C2 Domain 

Lumma 

2024/02/20 

hxxps://mediafire[.]com/folder/ol5512r4mova/Setup 

Payload URL 

Vidar 

2024/02/16 

hxxps://t[.]me/karl3on 

C2 URL 

Vidar 

2024/02/16 

hxxps://steamcommunity[.]com/profiles/76561199637071579 

C2 URL 

Vidar 

2024/02/16 

Emerging Threats signatures 

Vidar

2036316, 2038523, 2038524, 2049203, 2038525, 2035873, 2043334, 2033066, 2044788, 2025431, 2035911, 2029236, 2034813, 2047626, 2047627, 2044245, 2044244, 2044246, 2044249, 2044248, 2044247, 2049087, 2036667, 2033163, 2036654, 2049253, 2047625, 2044243, 2851826, 2853039, 2853038, 2842708, 2855525, 2841407, 2841237, 2841406 

Lumma

2050952, 2050957, 2050996, 2050999, 2051473, 2051480, 2051544, 2051547, 2051551, 2051555, 2051470, 2051477, 2051545, 2051548, 2051549, 2051553, 2050953, 2050958, 2050974, 2050976, 2051552, 2051556, 2050955, 2050960, 2051482, 2051483, 2049958, 2049959, 2050998, 2051001, 2050956, 2050961, 2048936