Author

Topic: RedLine malware now spreads via YouTube using NFT theme (Read 139 times)

legendary
Activity: 2240
Merit: 3150
₿uy / $ell ..oeleo ;(
Lol, interesting country filter for sure.
I guess if the developers get caught, could be prosecuted in those countries. I don't know how the extradition lows are working there. This could be the reason as well, if they bought the  malware code on a dark net forum for sure they are not so skilled and probably bad in covering tracks.
staff
Activity: 3304
Merit: 4115
That's interesting. I'm still not finding the answer to why they choose to limit who their targets are. It isn't exactly political, in the sense that their software doesn't seem tailored to a certain demographic, except for the countries, and it's a bit odd since most malicious attackers want to widen their attack surface not shrink it by a good margin.

Unless, it's political, and they don't want to be doing any harm to the residents of these countries because their country is friendlier, since it's quite obviously biased to a certain eastern part of the world. I don't think it would be for reducing their chances of being found out. I don't know, I'm kind of lost on it.
legendary
Activity: 2072
Merit: 4265
✿♥‿♥✿
I was thinking this was just "another one of those", however what has quite interested me is the latter part. Anyone have any idea why they would not have the malicious program run if you were from one of those countries? What's the motive behind that? My first thought would have been from countries that have banned Bitcoin, and so to avoid detection they've not included those countries, although that wouldn't make much sense since they aren't countries which have banned Bitcoin.

I'm not quite wrapping my head around why they would do that. Obviously, a eastern bias to it.

I remembered another stealer, which was also aimed at users in Europe and America. The first thing he did was check the IP address of the owner of the device, and if the user was not a resident of the CIS countries, only then did the stealer begin its harmful activity.

I would not be surprised if the developers of this malware are the same people.

https://bitcointalksearch.org/topic/m.59137852

Quote
Mars Stealer also checks if a user is based in countries historically part of the Commonwealth of Independent States, which is common for many Russian-based malware.

If the device's language ID matches Russia, Belarus, Kazakhstan, Azerbaijan, Uzbekistan, and Kazakhstan, the program will exit without performing any malicious behavior.
https://www.bleepingcomputer.com/news/security/powerful-new-oski-variant-mars-stealer-grabbing-2fas-and-crypto/
staff
Activity: 3304
Merit: 4115
I was thinking this was just "another one of those", however what has quite interested me is the latter part. Anyone have any idea why they would not have the malicious program run if you were from one of those countries? What's the motive behind that? My first thought would have been from countries that have banned Bitcoin, and so to avoid detection they've not included those countries, although that wouldn't make much sense since they aren't countries which have banned Bitcoin.

I'm not quite wrapping my head around why they would do that. Obviously, a eastern bias to it.
legendary
Activity: 2576
Merit: 1655
Scammers and hackers are the most hardworking people I've ever known, though they choose to work hard in crime I wish this is not the case, threats keeps growing in crypto space and every form or security doesn't seem to be working right, now to open a new wallet while connected to online is disturbing to the heart.

It's because these people have no conscience whatsoever, they choose the life of crime so what do you expect?

And there could be more attacks like this in the future as usually this criminals are going to take the latest hype and craze into crypto and uses it to lure unsuspecting victims. So let this be a warning, specially for newbies.
member
Activity: 368
Merit: 15
Scammers and hackers are the most hardworking people I've ever known, though they choose to work hard in crime I wish this is not the case, threats keeps growing in crypto space and every form or security doesn't seem to be working right, now to open a new wallet while connected to online is disturbing to the heart.
legendary
Activity: 1022
Merit: 1341
Anything that trends online, mostly concerns money, fraudsters must use it or involve to scam people. Now they have used NFT as a bait to lure people on YouTube.

Thank you very much for the information.
legendary
Activity: 2072
Merit: 4265
✿♥‿♥✿
Another piece of news from the cybersecurity community. The RedLine malware is now spreading via YouTube using the NFT theme.
As we see, everything new that becomes popular does not lose the attention of scammers. Attackers have now used the popular YouTube platform.

Quote
Researchers have uncovered a new campaign to spread the RedLine Stealer – a low-cost password stealer sold on underground forums – through a series of YouTube videos that take advantage of global interest in NFTs.

The lure is a bot’s offer to allow a user to automatically purchase Binance NFT Mystery Boxes when they become available. The bot is fake, however. Video descriptions on YouTube pages lead victims to unwittingly download RedLine Stealer from a GitHub link, according to Gustavo Palazolo, malware analyst at Netskope Threat Labs.


Quote
Hackers deploying the malware launched thousands of attacks against systems in more than 150 countries and territories in April.

RedLine allows attackers to access system information such as usernames, hardware, installed browsers, and antivirus software before exfiltrating passwords, credit cards, crypto wallets, and VPN connections to a remote command and control server.

With RedLine Stealer, hackers have the ability to extract login credentials from web browsers, FTP clients, email apps, instant messaging clients, and VPNs before selling them on underground markets


Quote
The malware does not run, Palazolo said, if the infected computer is detected in one of these countries:

Armenia
Azerbaijan
Belarus
Kazakhstan
Kyrgyzstan
Moldova
Russia
Tajikistan
Ukraine
Uzbekistan

https://ikoku-news.com/nft/password-stealer-now-propagates-from-a-github-link-that-uses-nft-content-as-bait/
Jump to: