Fake Binance NFT Mystery Box bots steal victim’s crypto wallets

Source: ITAMGames Inc.

A new RedLine malware distribution campaign is promoting fake Binance NFT mystery box bots on YouTube to trick people into getting infected with the info-stealing malware from GitHub repositories.

Binance Mystery Boxes are sets of random non-fungible items (NFTs) that people buy, hoping they will receive a unique or rare item at a bargain price. Some of the NFTs found in these boxes can be used to add cosmetics or rare characters in online blockchain games.

Mystery boxes are all the rage in the NFT market because they give people the joy of the unknown and the potential for a big payday if they land a rare NFT. However, marketplaces like Binance offer them in limited numbers, making some boxes hard to get before they run out of stock.

That’s why interested buyers often deploy “bots” to acquire them, and it’s precisely this hot trend that threat actors are trying to take advantage of.

Abuse of YouTube and GitHub

According to a new report from Netskope, threat actors create YouTube videos to trick potential victims into downloading and installing the malware on their computers, thinking they are getting a free mystery box scalping bot.

Malicious YouTube videos
Malicious YouTube videos (Netscope)

BleepingComputer has confirmed that the videos listed in the indicators of compromise are still available on YouTube, despite having a low number of views.

There are likely many more than those spotted by Netskope, and it’s also possible that previous fraudulent videos with higher views have been flagged and removed by YouTube moderators.

The threat actors uploaded the videos between March and April 2022, and they all feature a link to a GitHub repository that supposedly hosts the bot but, in reality, distributes RedLine.

Description of the video leading to a GitHub download
Description of the video leading to a GitHub download (Netscope)

The name of the dropped file is “BinanceNFT.bot_v1.3.zip”, containing an executable of the same name, which is the payload, a Visual C++ installer and a README.txt file.

Files contained in the deposited ZIP archive
Files contained in the deposited ZIP

RedLine requires running the VC redistributable installer as the program is developed in .NET, while the text file contains the installation instructions for the victim.

Readme file instructions
Readme file instructions (Netscope)

In this campaign, RedLine was configured to close if the malware detected the country on the host computer as Russia, Ukraine, Belarus, Armenia, Azerbaijan, Kazakhstan, Moldova, Uzbekistan , Tajikistan or Kyrgyzstan.

In addition to the RedLine campaign seen by Netskope, BleepingComputer noticed new YouTube campaigns promoting a free “Binance NFT Bot”.

New Binance NFT bot scams on YouTube
New Binance NFT bot scams on YouTube
Source: BleepingComputer

However, these campaigns use rebrand.ly URLs that redirect to uploads hosted on MediaFire. According to VirusTotal, this campaign also distributes password-stealing Trojans.

The RedLine threat continues

RedLine is a very popular and powerful threat in the information-stealing malware space, distributed by multiple threat actors and in different ways.

It is currently sold to independent carriers under a subscription model for $100 per month and supports stealing login passwords and cookies from web browsers, chat app data, VPN credentials and cryptocurrency wallets.

In cryptocurrency-themed campaigns, like this one, victims typically own digital assets and cryptocurrency, making the financial damage even greater.

One thing to always keep in mind is that the legitimacy of platforms like YouTube and GitHub does not automatically equate to content reliability, as upload checks and moderation procedures on these sites are lacking.

Clicking on links provided under or videos uploaded by small and obscure YouTube channels, downloading executable files and running them on your system is never a good idea.

Leave a Comment

%d bloggers like this: