One Article Review
| Source |  ProofPoint |
|---|---|
| Identifiant | 8475099 |
| Date de publication | 2024-04-03 06:00:40 (vue: 2024-04-03 09:07:31) |
| Titre | Les acteurs de la menace offrent des logiciels malveillants via les fissures du jeu vidéo YouTube Threat Actors Deliver Malware via YouTube Video Game Cracks |
| Texte | Key takeaways Proofpoint identified multiple YouTube channels distributing malware by promoting cracked and pirated video games and related content. The video descriptions include links leading to the download of information stealers. The activity likely targets consumer users who do not have the benefits of enterprise-grade security on their home computers. Overview Threat actors often target home users because they do not have the same resources or knowledge to defend themselves from attackers compared to enterprises. While the financial gain might not be as large as attacks perpetrated on corporations, the individual victims likely still have data like credit cards, cryptocurrency wallets, and other personal identifiable information (PII) stored on their computers which can be lucrative to criminals. Proofpoint Emerging Threats has observed information stealer malware including Vidar, StealC, and Lumma Stealer being delivered via YouTube in the guise of pirated software and video game cracks. The videos purport to show an end user how to do things like download software or upgrade video games for free, but the link in the video descriptions leads to malware. Many of the accounts that are hosting malicious videos appear to be compromised or otherwise acquired from legitimate users, but researchers have also observed likely actor-created and controlled accounts that are active for only a few hours, created exclusively to deliver malware. Third-party researchers have previously published details on fake cracked software videos used to deliver malware. The distribution method is particularly notable due to the type of video games the threat actors appear to promote. Many of them appear to be targeted to younger users including games popular with children, a group that is less likely to be able to identify malicious content and risky online behaviors. During our investigation, Proofpoint Emerging Threats reported over two dozen accounts and videos distributing malware to YouTube, which removed the content. Example account The following is an example of a suspected compromised account (or potentially sold to a new “content creator”) used to deliver malware. Indicators of a suspected compromised or otherwise acquired account include significant gaps of time between the videos posted, content that vastly differs from previously published videos, differences in languages, and descriptions of the videos containing likely malicious links, among other indicators. The account has around 113,000 subscribers, and the account displays a grey check mark which indicates the account owner has met verified channel requirements including verifying their identity. Example of a verified YouTube account with a large following, suspected to be compromised. When Proofpoint researchers identified the account, the majority of the account\'s videos had been posted one year or more previously, and all had titles written in Thai. However, when the account was identified, twelve (12) new English language videos had been posted within a 24-hour period, all related to popular video games and software cracks. All of the new video descriptions included links to malicious content. Some of the videos had over 1,000 views, possibly artificially increased by bots to make the videos seem more legitimate. Screenshot of a suspected compromised YouTube account distributing malware comparing upload dates. In one example, a video purported to contain a character enhancement for a popular video game with a MediaFire link in the description. The MediaFire URL led to a password-protected file (Setup_Pswrd_1234.rar) containing an executable (Setup.exe) that, if executed, downloaded and installed Vidar Stealer malware. The video was uploaded to the suspected compromised account seven (7) hours prior to our investigation. Around the same time the video was posted, several comments purported to attest to the legitimacy of the software crack. It is likely those accounts and comments were created by the video |
| Envoyé | Oui |
| Condensat | 000 113 1234 2024/01/10 2024/02/16 2024/02/20 2024/02/21 2024/02/26 2024/03/04 2024/03/05 2024/03/08 2025431 2029236 2033066 2033163 2034813 2035873 2035911 2036316 2036654 2036667 2038523 2038524 2038525 2043334 2044243 2044244 2044245 2044246 2044247 2044248 2044249 2044788 2047625 2047626 2047627 2048936 2049087 2049203 2049253 2049836 2049958 2049959 2050952 2050953 2050955 2050956 2050957 2050958 2050960 2050961 2050974 2050976 2050996 2050998 2050999 2051001 2051470 2051473 2051477 2051480 2051482 2051483 2051544 2051545 2051547 2051548 2051549 2051551 2051552 2051553 2051555 2051556 2841237 2841406 2841407 2842708 2851826 2853038 2853039 2855525 2c1e42d5e1eaf851b3b1ce14f6646a94 477a4bbb17eb966c637f1fbdb5219fbf 679dff0691158b5367ef511a57e7a1fc 800 82574182bfe062e72bb750ee1e641e08 able above account accounts account acquired active activity activity actor actors actually additional address administrator advertising after all along alphanumeric also always among amount another antivirus antivirus/sandbox appear appears archive are around artificially assesses assessment associated associationokeo attackers attacks attempt attest attribute authenticity available aware based because been behaviors being benefits between bloating both bots but bypass bypasser bytes can cards cases channel channels character characters cheat check children clean” clusters collaborators com/folder/ol5512r4mova/setup com/profiles/76561199637071579 come command comments common community compared comparing completely compressed compromise compromised computers conclusion confirm confirms connections consistently consumer contain contained containing content control controlled corporations crack cracked cracks created creating creator creator” credit criminals cryptocurrency currently data dates dd0f7e40960943820da54ef28e1ffafb deception defend defender deliver delivered delivery description descriptions description destinations details detected detections detectordiscusser detonation differences different differs direct disable disabling discord displays distinct distribute distributing distribution distribution does domain download downloaded dozen due during e1f4c125e7ec9e784198518ade924a40 each easy editor edurestunningcrackyow emerging empress enable end ending engaging english enhancement enterprise enterprises entice entity evasion every example exclusively exe executable executables executed exe exe” expanded fake family file files financial first follow followed following forums free from functionality fun gain game games gaps good grade grey group guise had has have help here hex hide home host hosting hosts hour hours how however hxxps://mediafire hxxps://steamcommunity hxxps://t identifiable identified identifier identify identity immediately impersonation include included includes including increased indicate indicates indicators indicator individual information install installed instill instructions instructs investigation key knowledge known language languages large leading leads led legends” legitimacy legitimate lend less lighterepisodeheighte like likely link links list lot lucrative lumma lumma majority make malicious malware managing many mark may me/karl3on media mediafire met method methods might more multiple named network new non not notable notably observed often one online only opening order other otherwise over overview owner padding paid particularly party password payload payloads pcap period perpetrated personal pii pipe piracy pirated platform platforms pooreveningfuseor popular portion possibly post posted posting posts potentially previously prior problemregardybuiwo products profile promises promote promoting proofpoint protected providing pswd pswrd published purport purported purporting pw quick rar rar receive related released remove removed repeating reported requirements research researchers resource resources retrieved reveals ring risky same samples sandbox sarcasm scan screenshot seconds security see seem seen server set setup |
| Tags | Malware Tool Threat |
| Stories | |
| Notes | ★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.