How YouTubers get Hacked: Redline Stealer

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

so how do youtubers get hacked well we'll find out today because they try to hack me unfortunately for them however i'm a threat researcher so we'll be analyzing their hacks instead and hopefully this will help you figure out how to not get hacked this is leo and you're watching the pc security channel as you can imagine i get a ton of junk email mostly i just ignore and move on with my life but this time i decided to play along just to see what would happen so here's one that is obviously a scam because if you look at the email address socialpointdragoncity gmail.com this is clearly not a company email address and that's not a proper sponsor email hello we want to make a promotional video on your youtube channel for your pre-roll lasting 60 seconds so already red flags there bad english our official website dragoncitygame.com and if you notice this is not the domain of the email so even if this is a legitimate game that does not mean that the email is a legitimate inquiry for sponsorship read the contract for details a short dropbox link before that though i just want to say that this was not the original email so their original email is very short it doesn't have any links when you respond to it you get the real deal so yeah there's a dropbox link format pc i guess that means you're supposed to open it on a pc because that's where the malware is going to work and there's a password on the archive and as we'll go over the file itself you will see that it's very very dangerous major disclaimer do not do this at home guys you will be hacked and nasty things will happen so we've got a promo contract dot sip downloaded open archive you can see five different exes each of them saying things like apps for youtube integration price for integration from 2 million to 10 million subscribers price for 100 000 to 2 million subscribers that's me so i guess we're supposed to download this one i mean extract and at this point you might think well who's going to open this exe for a contract that's stupid like of course the contract would be a word document or a text file or pdf and non-exe you would expect your typical antivirus to kick in and say well this is malware and remove it but the reason that may not happen is because this file is 750 megabytes in size this is massive no antivirus is going to scan a file this big and guess what you can't analyze it online either so let's say you're a weary user and you're like no i really want the sponsorship deal but you know what i'm going to double check this file on vars total because i don't want to get malware or something like that so i'm just going to drop it here guess what 650 megabytes is the maximum size of a file that you can upload to vars total so i suspect that is kind of the reason it chose 750 megabytes and not 650 or 649. so what do we do about this how do we know if this is a safe application that's going to open up an app on our desktop maybe it's got the game packed in maybe that's why it's a big application and for that we're going to have to do some malware analysis so to start off we're going to use pe studio pro so i'm just going to open it up in pe studio and we'll drag and drop this file so we can see already that this is a file that's coded in visual c-sharp the description is document it's a 32-bit executable right away there are 38 indicators but none of these are really like sure shot indicators maybe apart from something like this this is pretty obvious here other than that we can't really see a lot we can't look at the versatile analysis we can't really do a miter analysis either and that's because of this massive file size why is this file so huge so this file has an overlay it seems to be quite compressed the first bytes are all zeros i suspect what we're gonna find surprise surprise is that this fall is mostly empty space that's just been crammed in there to increase the file size artificially and the way we're going to deal with that is we're going to open this in hex editor so i'm just going to open x64 just gonna load this file in here and so it starts off like a normal exe would you've got the you know stub over there but as we scroll down guess what there's nothing it's just zeros it's blank information and then if we go all the way to the very end we've got some information there too all the bits of zeros are in the middle so you've got this entire segment that's just zeros but i do want to do an in-depth analysis of this and actually find out what type of malware this is how is it going to hack your youtube we can't figure that out yet we're going to have to make this file smaller so all i have to do look this is really advanced stuff here okay malware authors hate the secret trick and that's going to be just clicking here pressing shift going all the way to the bottom of the file and then selecting everything and then pressing the delete button on the keyboard and it says this operation changes the file size do you want to proceed and we're gonna okay that and boom and now i think we're at a point where yeah most of the zeros are gone and we'll just give it a name real contract dot exe and we're just gonna export it to desktop and now we have our real contract if we click on properties as you can see this is only now 142 kilobytes huh so we went from 750 megabytes to 142 kilobytes just by removing blank space and now we're ready to upload this to antizir for analysis by the way this video is sponsored by them they're an amazing threat analysis platform so check them out but we're just going to select our file here and it is going to analyze it may take a minute but soon we're going to see some results and already as you can see we've got a code gene match of about forty percent with some other malware this is also going to execute it dynamically in a sound box and that's going to give us some more insights but already you can tell this is malware and it's been flagged but i do want to go more in depth and figure out what exactly it does so we're going to wait for the dynamic execution to complete all right it seems like the dynamic execution is complete as you can see we've got a ton of process in memory oh this is lovely we can directly look at the ttps and these are the tactics techniques that uses so obvious one here for defense evasion is process injection so it uses process hollowing everything we're seeing here are classic techniques how malware tries to evade detection from things like antivirus programs or windows defender which is why i kind of insist on behavioral protection every time i make a video on this channel now if we take a look at some of the things in memory you can see that we've got the actual payload which is being extracted at this step and this is a redline stealer tada there you go no wonder so that explains how they would hack your youtube account or the whole purpose of sending these emails to youtubers essentially you have an infostealer component within this malware package that's going to run on your system and when you log into youtube next it's just going to steal all your credentials and some of these steelers can actually even steal your 2fa credentials all you have to do is do a full login and they probably have a script in there that's going to delete your cookies and force you to log into youtube yourself it's going to appear normal to you maybe it's just been too long and i need to relog into youtube and then the moment you go through that process they're going to be able to get that information using the steeler from your computer and hack into your account so this is definitely a very dangerous threat and one of the ways in which some of the youtubers they've seen being compromised were probably compromised another thing to note is if we go back to our system and open this up in pe studio again if we look at the file header you'll see that we've got a very recent compiler timestamp this is only from january 20th this thursday so this file was compiled very recently it shows that the attackers are active and they created this specifically for the campaign that sent me the email so watch out for this sort of stuff um it doesn't only happen to youtubers of course you could be a victim of this you could be attacked by the same stuff be wary of exe files that look like other files just because something looks like a word document doesn't mean it is and also if something is 715 megabytes there's a good chance it's going to bypass your antivirus defenses especially if you're using just some random crap free ap or windows defender so a good reason to think about your security if you're purely relying on signature based defenses but i hope you found this video helpful please share it because i think there are a lot of people who just don't understand how this works and might fall for such attacks show this video to your friends who may not be as tech savvy and spread the word don't forget to like and subscribe if you enjoyed this analysis let me know if you'd like to see more videos like this in the future and of course a big thank you to our sponsors into their analyze if you want to do your own analysis or just check out something suspicious on your system integer analyzes great way to do it you can check them out at analyze.integzer.com and you can sign up for free community account thank you all so much for watching this is leo and as always stay informed stay secure you

Info

Channel: The PC Security Channel

Views: 395,828

Rating: undefined out of 5

Keywords: The PC Security Channel, TPSC, cybersecurity, cyber security, computer security, internet security, antivirus, anti malware, ransomware, trojan, virus, PUP, best antivirus, best internet security, learn cybersecurity, hacking, hack, security, technology, cyber insurance, cybersecurity degree, EDR, SIEM, best EDR, AI, How YouTubers get hacked, YouTube hacked, YouTube channel hacked, Redline Stealer, Social media hacked, Instagram hacked

Id: 5FzsM3V5xRo

Channel Id: undefined

Length: 10min 0sec (600 seconds)

Published: Wed Feb 02 2022