Redline stealer targets gamers through YouTube

Malicious programmes are being distributed in the form of a single installation file, self-extracting archive, or other file with installer-type functionality recently caught our attention.

Its primary payload is the widely used RedLine stealer.

RedLine, discovered in March 2020, is currently one of the most common Trojans used to steal passwords and credentials from browsers, FTP clients, and desktop messengers.

It is freely available on underground hacker forums for a few hundred dollars, which is a relatively low price for malware.

The stealer can steal usernames, passwords, cookies, bank card details, and autofill data from Chromium and Gecko-based browsers, as well as data from cryptowallets, instant messengers, and FTP/SSH/VPN clients, as well as files with specific extensions from devices. The download.exe file is 35 MB in size.

It is a NodeJS interpreter glued together with the main application’s scripts and dependencies.

One of the batch files executes the nir.exe utility, which allows malicious executables to run without any windows or taskbar icons being displayed.

MakiseKurisu.exe is a password stealer written in C# and customised to the creators’ needs.