Fake Binance NFT Mystery Box bots steal victim’s crypto wallets

GB Master Kung Mystery Box
Source: ITAMGamesInc

A new RedLine malware distribution campaign promotes fake Binance NFT mystery box bots on YouTube to lure people into infecting themselves with the information-stealing malware from GitHub repositories.

Binance mystery boxes are sets of random non-fungible token (NFT) items that people buy, hoping they’ll receive a unique or rare item at a bargain price. Some of the NFTs found in these boxes can be used to add rare cosmetics or personas within online blockchain games.

Mystery boxes are trendy in the NFT market because they give people the joy of the unknown and the potential for a big payday if they land a rare NFT. However, marketplaces like Binance offer them in limited numbers, making some boxes hard to get before they run out of stock.

This is why interested buyers often deploy “bots” to acquire them, and it’s precisely this hot trend that the threat actors are trying to take advantage of.

YouTube and GitHub abuse

According to a new report by Netskope, threat actors are creating YouTube videos to entice potential victims into downloading and installing the malware on their computer, thinking they’re getting a free mystery box scalper bot.

Malicious YouTube videos
Malicious YouTube videos (Netskope)

BleepingComputer confirmed that the videos listed in the indicators of compromise are still available on YouTube, albeit having a low number of views. 

There likely are many more than those spotted by Netskope, and it’s also possible that previous scam videos with a higher number of views were reported and taken down by YouTube moderators.

The threat actors uploaded the videos between March and April 2022, and they all feature a link to a GitHub repository that supposedly hosts the bot but, in reality, distributes RedLine.

Video description leading to a GitHub download
Video description leading to a GitHub download (Netskope)

The name of the dropped file is “BinanceNFT.bot_v1.3.zip”, containing a similarly-named executable, which is the payload, a Visual C++ installer, and a README.txt file.

Files contained in the dropped ZIP archive
Files contained in the dropped ZIP 

RedLine requires the VC redistributable installer to run since the program is developed in .NET, while the text file contains the installation instructions for the victim.

Readme file instructions
Readme file…