A new RedLine malware distribution campaign promotes fake Binance NFT mystery box bots on YouTube to lure people into infecting themselves with the information-stealing malware from GitHub repositories.
Binance mystery boxes are sets of random non-fungible token (NFT) items that people buy, hoping they’ll receive a unique or rare item at a bargain price. Some of the NFTs found in these boxes can be used to add rare cosmetics or personas within online blockchain games.
Mystery boxes are trendy in the NFT market because they give people the joy of the unknown and the potential for a big payday if they land a rare NFT. However, marketplaces like Binance offer them in limited numbers, making some boxes hard to get before they run out of stock.
This is why interested buyers often deploy “bots” to acquire them, and it’s precisely this hot trend that the threat actors are trying to take advantage of.
YouTube and GitHub abuse
According to a new report by Netskope, threat actors are creating YouTube videos to entice potential victims into downloading and installing the malware on their computer, thinking they’re getting a free mystery box scalper bot.
BleepingComputer confirmed that the videos listed in the indicators of compromise are still available on YouTube, albeit having a low number of views.
There likely are many more than those spotted by Netskope, and it’s also possible that previous scam videos with a higher number of views were reported and taken down by YouTube moderators.
The threat actors uploaded the videos between March and April 2022, and they all feature a link to a GitHub repository that supposedly hosts the bot but, in reality, distributes RedLine.
The name of the dropped file is “BinanceNFT.bot_v1.3.zip”, containing a similarly-named executable, which is the payload, a Visual C++ installer, and a README.txt file.
RedLine requires the VC redistributable installer to run since the program is developed in .NET, while the text file contains the installation instructions for the victim.