RedLine malware now spreads via YouTube using NFT theme

[lovesmayfamilis]

Another piece of news from the cybersecurity community. The RedLine malware is now spreading via YouTube using the NFT theme.
As we see, everything new that becomes popular does not lose the attention of scammers. Attackers have now used the popular YouTube platform.

Researchers have uncovered a new campaign to spread the RedLine Stealer – a low-cost password stealer sold on underground forums – through a series of YouTube videos that take advantage of global interest in NFTs.

The lure is a bot’s offer to allow a user to automatically purchase Binance NFT Mystery Boxes when they become available. The bot is fake, however. Video descriptions on YouTube pages lead victims to unwittingly download RedLine Stealer from a GitHub link, according to Gustavo Palazolo, malware analyst at Netskope Threat Labs.

Hackers deploying the malware launched thousands of attacks against systems in more than 150 countries and territories in April.

RedLine allows attackers to access system information such as usernames, hardware, installed browsers, and antivirus software before exfiltrating passwords, credit cards, crypto wallets, and VPN connections to a remote command and control server.

With RedLine Stealer, hackers have the ability to extract login credentials from web browsers, FTP clients, email apps, instant messaging clients, and VPNs before selling them on underground markets

The malware does not run, Palazolo said, if the infected computer is detected in one of these countries:

Armenia
Azerbaijan
Belarus
Kazakhstan
Kyrgyzstan
Moldova
Russia
Tajikistan
Ukraine
Uzbekistan

https://ikoku-news.com/nft/password-stealer-now-propagates-from-a-github-link-that-uses-nft-content-as-bait/

[1715305999]

1715305999

[1715305999]

1715305999

[1715305999]

1715305999

[Agbe]

Anything that trends online, mostly concerns money, fraudsters must use it or involve to scam people. Now they have used NFT as a bait to lure people on YouTube.

Thank you very much for the information.

[CryptoATM]

Scammers and hackers are the most hardworking people I've ever known, though they choose to work hard in crime I wish this is not the case, threats keeps growing in crypto space and every form or security doesn't seem to be working right, now to open a new wallet while connected to online is disturbing to the heart.

[Baofeng]

Scammers and hackers are the most hardworking people I've ever known, though they choose to work hard in crime I wish this is not the case, threats keeps growing in crypto space and every form or security doesn't seem to be working right, now to open a new wallet while connected to online is disturbing to the heart.

It's because these people have no conscience whatsoever, they choose the life of crime so what do you expect?

And there could be more attacks like this in the future as usually this criminals are going to take the latest hype and craze into crypto and uses it to lure unsuspecting victims. So let this be a warning, specially for newbies.

[Welsh]

I was thinking this was just "another one of those", however what has quite interested me is the latter part. Anyone have any idea why they would not have the malicious program run if you were from one of those countries? What's the motive behind that? My first thought would have been from countries that have banned Bitcoin, and so to avoid detection they've not included those countries, although that wouldn't make much sense since they aren't countries which have banned Bitcoin.

I'm not quite wrapping my head around why they would do that. Obviously, a eastern bias to it.

[lovesmayfamilis]

I was thinking this was just "another one of those", however what has quite interested me is the latter part. Anyone have any idea why they would not have the malicious program run if you were from one of those countries? What's the motive behind that? My first thought would have been from countries that have banned Bitcoin, and so to avoid detection they've not included those countries, although that wouldn't make much sense since they aren't countries which have banned Bitcoin.

I'm not quite wrapping my head around why they would do that. Obviously, a eastern bias to it.

I remembered another stealer, which was also aimed at users in Europe and America. The first thing he did was check the IP address of the owner of the device, and if the user was not a resident of the CIS countries, only then did the stealer begin its harmful activity.

I would not be surprised if the developers of this malware are the same people.

https://bitcointalk.org/index.php?topic=5384035.msg59137852#msg59137852

Mars Stealer also checks if a user is based in countries historically part of the Commonwealth of Independent States, which is common for many Russian-based malware.

If the device's language ID matches Russia, Belarus, Kazakhstan, Azerbaijan, Uzbekistan, and Kazakhstan, the program will exit without performing any malicious behavior.

https://www.bleepingcomputer.com/news/security/powerful-new-oski-variant-mars-stealer-grabbing-2fas-and-crypto/

[Welsh]

That's interesting. I'm still not finding the answer to why they choose to limit who their targets are. It isn't exactly political, in the sense that their software doesn't seem tailored to a certain demographic, except for the countries, and it's a bit odd since most malicious attackers want to widen their attack surface not shrink it by a good margin.

Unless, it's political, and they don't want to be doing any harm to the residents of these countries because their country is friendlier, since it's quite obviously biased to a certain eastern part of the world. I don't think it would be for reducing their chances of being found out. I don't know, I'm kind of lost on it.

[TheBeardedBaby]

Lol, interesting country filter for sure.
I guess if the developers get caught, could be prosecuted in those countries. I don't know how the extradition lows are working there. This could be the reason as well, if they bought the  malware code on a dark net forum for sure they are not so skilled and probably bad in covering tracks.