Korean security analysts have discovered a malware distribution campaign that uses Valorant cheat lures on YouTube to trick players into downloading RedLine, a powerful information stealer.
This kind of abuse is quite common as the threat actors find it easy to bypass YouTube’s ratings of new content submissions or create new accounts when reported and blocked.
The campaign spotted by ASEC is aimed at the gaming community of Valorant, a free first-person shooter for Windows, which provides a link to download an auto-targeting bot on the video description.
Video promoting fake auto-aiming bot (ASEC)
These cheats are allegedly add-ons installed in the game to help the players target enemies with speed and precision and win headshots without demonstrating any skill.
Auto-aim bots are highly sought after for popular multiplayer games like Valorant because they allow effortless progression in the rankings.
Drop red line
Users who try to download the file in the video description are taken to an anonfiles page where they get a RAR archive that contains an executable file called “Cheat installer.exe”.
This file is actually a copy of RedLine stealer, one of the most widely used password-stealing malware infections that steal the following data from infected systems:
Basic information: computer name, username, IP address, Windows version, system information (CPU, GPU, RAM, etc.) and list of processes Web browsers: passwords, credit card numbers, autofill forms, bookmarks and cookies, from Chrome, Chrome-based browsers and Firefox Cryptocurrency wallets: Armory, AtomicWallet, BitcoinCore, Bytecoin, DashCore, Electrum, Ethereum, LitecoinCore, Monero, Exodus, Zcash and Jaxx VPN clients: ProtonVPN, OpenVPN and NordVPN Other: FileZilla (host address, port number, username and passwords), Minecraft (account information, level, rank), Steam (client session), Discord (token information)
After collecting this information, RedLine neatly packs it into a ZIP archive called “().zip” and exfiltrates the files via a WebHook API POST request to a Discord server.
Exfiltrate Stolen Information via Discord WebHook (ASEC)
Don’t trust links in YouTube videos
Aside from the fact that video game cheating takes the fun out of playing and ruins the game for others, it is always a potentially serious security risk.
None of these cheat tools are written by trustworthy entities, none are digitally signed (so AV warnings will definitely be ignored), and many are indeed malware.
ASEC’s report includes a recent example, but that’s just a drop in the sea of malicious download links among YouTube videos promoting various types of free software.
The videos promoting these tools are often stolen from elsewhere and reposted on new channels by malicious users to act as bait.
Even if the comments below these videos praise the uploader and claim that the tool works as promised, they should not be trusted as they can be easily faked.
This post Fake Valorant cheats on YouTube infect you with RedLine stealer
was original published at “https://www.bleepingcomputer.com/news/security/fake-valorant-cheats-on-youtube-infect-you-with-redline-stealer/”