Cybersecurity specialists discovered a new campaign to distribute the Russian malware RedLine Stealer on YouTube.
The malware is advertised as a bot for buying mystery boxes with Binance NFT, but in fact, the victims do not download the bot into their systems, but the data-stealing malware. Mystery boxes with NFTs are similar to game loot boxes: each such virtual box contains non-fungible tokens of varying degrees of rarity, and people buy them in the hope of getting a unique or rare item at a low price. Let me remind you that we also said that Raspberry Robin Malware Has Worm Features and Abuses Windows Installer, and also that New Bumblebee Malware Downloader Became a Replacement for BazarLoader for Hackers. Platforms like Binance offer limited mystery boxes, further fueling demand and making it difficult to get some boxes. Therefore, interested buyers often use bots to purchase them, and it is on this trend that attackers now parasitize. 
According to a Netskope report, attackers create videos on YouTube about Binance mystery boxes and bots to buy them, but they promote malware as a free scalper bot. Bleeping Computer notes that some videos of the criminals are still available on YouTube, although they do not have too many views. Perhaps the more popular scam videos have already been removed by YouTube moderators. In the report, the researchers write that the attackers uploaded such videos between March and April 2022, and the description of all the videos contained a link to the GitHub repository. The scammers claimed that this was a link to download the bot, while in fact, only the well-known malware RedLine Stealer was waiting for gullible users via the link. 
It is noted that in this campaign, the malware is configured in such a way that it completes the attack if it is uploaded on a computer in Russia, Ukraine, Belarus, Armenia, Azerbaijan, Kazakhstan, Moldova, Uzbekistan, Tajikistan or Kyrgyzstan. Let me remind you that RedLine Stealer was discovered back in March 2020. The malware is capable of extracting credentials from browsers, FTP clients, email, instant messengers, and VPNs. In addition, the malware can steal authentication cookies and card numbers stored in browsers, chat logs, local files, and cryptocurrency wallet databases. The RedLine Stealer is currently on sale on the dark web and a monthly subscription costs $100.
