How YouTubers get Hacked: Redline Stealer
ฝัง
- เผยแพร่เมื่อ 1 ต.ค. 2024
- A lot of large TH-cam channels were hacked recently to post crypto scams. They tried to hack me too with a 715 MB Redline Stealer. Here's the full story.
Video sponsor: Intezer. Check out analyze.inteze...
--
Buy the best antivirus: thepcsecurityc...
Contact us for an cybersecurity audit/test of your business: tpsc.tech/
Sponsor: thepcsecurityc... - วิทยาศาสตร์และเทคโนโลยี
"Malware authors *hate* this secret trick!"
Hilarious! Thank you for taking the time to help regular users, Leo.
lol
nah we don't hate these "sectret tricks" since we can hide absolutely everything and bypass every single antivirus
they hate a rescue disc more
@@RubenDeJong1603 we get to keep your informations '-'
@@stylite1637 every single antivirus ? geez lol. wait.. are you a malware author lol
Imagine trying to hack someone named the pc security channel
and get exposed step by step
Leo: It sounded cool.
its most likely a bot programmed to send malware to youtubers mail
@@Nogardtist yeah, they could easily compile a script that crawls TH-cam for channels over certain subscriber threshold, and set up a pipeline that compiles the malware and emails with the channel name and send them to the channel's email. Perhaps the initial mail and the reply sent by the channel was the trigger that fires up the pipeline. Obviously they want to minimize the number of specimens sent out instead of spamming them all over the place and risk them being automatically flagged.
@@kyouhyung wont making verified email by the brand or company with a mark or something to easier filter out these parasites
then lets say a newcomer starts their channel most tutorials or guides are either wasting time or useless they dont give all the problems and tips a creator might face like quality of the videos why algorithm hates small creators ironically they say most updates are for smoll creators safety there bigger problems then the dislike ratio and its comment bots and fake sponsors then what google themselves provide with search results but asking google or youtube directly most likely gonna feel like talking to the void or a bot imagine if in youtube studio there was an option to directly talk them instead relaying on other sites for a chance to get a respond
The cheeky scammers be like:
"Hey we found this *PC SECURITY CHANNEL* let's try to fish him in!"
I would like to have the boldness of these people at least once in my life!
@@synthlord6575 how is it cringe
This thread is cringe.
@@synthlord6575 I’m confused how you’re confused
Lmao
On the other hand, they say a professional cook does not really likes to cook at home on his spare night, you sometimes hear. Or in the case of Seinfeld when he had girlfriends that was a masseuse, but she refused to give him a neck massage. Meanwhile Kramer did get one I believe... th-cam.com/video/zLo3kbggWZs/w-d-xo.html
A "contract" that has a size of 750MB should always be a red flag.
Regarding the behavioral protection, we have this at work, I'm a developer and it blocks a lot of completely legit tools.
They hope you don't notice because it's packed so small.
Talking about a 700mb "word document", is it a good idea to just make a text file just 500mb and just shatters anyone with potato pc when opening it, aka spam E since why not, notepad did crash me at 250mb since my pc isn't the greatest as well, but it's funny and i did ruin my friend's pc, don't worry nothing is damaged the cpu is just broken. This reply is really long and probably as long as 1 paragraph of a wikipedia page
Did my TH-cam just crashed?
@@_auser_ at least ur reply isnt tons of E's
@@HuntingKingYT but its as big as one wikipedia paragraph
I did not know about the large file trick to evade detection! Now I understand the real reason to be wary of large downloaded/unknown files.
You mean those GB's of torrent download files? This is why torrent is dead.
@@dp6123 Lol
@@dp6123 Lol
@@dp6123 Lol
@@dp6123 Lol
If your sponsor can analyze compressed files, I suggest they change their "file too big" dialog to tell the user to try compressing the file and resubmitting.
i actually got hacked few days, ago and my mc afe subscription got over, and i was pretty much downloading a filmora file, and dont know what had happend, my yt an all other accs got data breached online :/, i deleted that file, but im still scared
@@Steveson lol who told download cracked
@@Steveson Immediately change your google and other necessary passwords like Facebook, netbanking passwords, etc
Would be interesting to see what happens when you actually execute it with different AVs (especially windows defender :) )
Try it and tell us! 😉
Windows defender is shit
You sadly are fucked if you solely rely on anything microsoft makes XD
@@whocares7078 cringe
Happend to me you don't want that 😅
@@whocares7078 windows defender is honestly underrated because most people think that Microsoft software is pure trash.
Lots of facecam lately interesting change
Another short trick you can use without hex editor, is to compress the exe by using Windows's built in NTFS compression. If it's full of zeros, the file size should show Size 700MB or whatever, and then Size on Disk will be something around 100 KB. I'm quite sure that the zip file in that download is also a few 100 KB as well due to compression, and 4 files more than 700 MB each in a zip which is barely a few KB is also a dead giveaway of something being very wrong. Nice video as always :D
Great tip! Thank you!
The ZIP-Archive he downloaded was shown as only ~400 kb, which was a pretty clear indicator the the file was bloated w/o any other tricks.
@@themasterofdisastr1226 yo bro
VirusTotal still wouldn't take the file in regardless of compression tactics.
Besides that, the original zipped files are still encrypted.
The point isn’t to get the antivirus to find it. The point is to be able to see its a bloated file which is a dead giveaway of a virus program. An executable shouldn’t compress very much as it should have lots of important, non-compressing calls
First rule of security: Dont open EXE files unless they are from a trusted source. If something feels strange or wrong, its usally something bad. Say no thanks and cancel/X out.
or/and DELETE! 🗑
@@RubenDeJong1603 My first rule of security is: unless it came with Windows, don't trust it! And even if it did, still don't!!
First rule of security: don't store your precious data on Windows
first rule of security: just don't
First rule of security: n o
I fell for one of these once, kind of sad this has become such a popular thing now..
did you actually run the file or no
@@jello3064 yes, but it wasn't a contract like here, but instead a game demo
@@Aci_yt Any game that comes with no textures are dll files are fake because then it couldn't display anything
@@pengwino828 it supposedly was the installer
@@Aci_yt wow, they really thought that far ahead. At least you got your channel back.
Didn't expect your face reveal
That's an interesting trick you showed there! I've seen people embedding malware in bmp images and share a screensaver which will load executable from this bmp image, but this just blasting the size with zeroes is totally new. A question though: when you just select the zeroes and simply delete them, wouldn't that render the PE file invalid? Won't moving the offsets cause issues with the loader?
I'm not qualified to answer, but guess would be because it's essentially dead space, it shouldn't effect the program, which is why he just did a general delete of the zeros and didn't fine time it
@@randomdude12370 It must be for the same reason they could add all the zeros just in that place, the program is behaving the same anyway
The zeros were after the main PE sections, in between let's say the .rsrc section and the overlay(the zeros could also be in the overlay or in their own custom named section) and they don't affect any offsets as no code or data points to that zero section, and the overlay is mostly for display(most RedLine payloads use corrupted certificates from big companies to try to further deceive the user into executing the payload). Any other offset used by the program's internals is calculated at runtime with regard to the image base and different srctions in the PE.
I'm curious, since when did Antivirus decide not to scan a file based on size? I remember scanners taking HOURS to scan. Why did they shuffle to "oh 10 minute scans are superior, even if we miss the actual virus"?
I was wondering that too
best antivirus is yourself...
Wow, this is the oldest trick in the book and it still work.... Changing the icon of an exe to something like Word or folder. Windows hiding the known file extension by default doesn't going to help either. And now we are starting to have people that doesn't even know what is "drive" and "file" is...... things are about to get worst from here haha
Zoomers are the new Boomers. We gotta help them so they have basic tech skills and aren't vulnerable.
thats implying the mid 2000's weren't god awful haha
limewire ruined so many pcs
Adding to the IT illiteracy comes, that people just want to monetize themselves on YT without merit or talent on "character" alone. And who can blame them, once the Pauls succeeded with this crap. Be vigilant, but if you get screwed over, maybe it's time for a real job.
The part where he got rid of the blank spaces which were only there to fill space to make the malware undetectable was mind blowing!
You barely explained why no one would notice that the docx file is an exe file, especially if it show file extinctions is enabled(hate Microsoft for disabling this by default). The attackers did not even bother adding docx to trick some users.
It's part Microsoft - part stupid people renaming the file _including_ the extension and complaining why Office won't load their files.
Thanks for this video. I was wondering HOW ON EARTH these ppl got around 2FA recently. Now I know. Great info.
And knowing is half the battle.
Real VS Fake NordVPN Sponsorship mail
Wow! Great video! My channel was recently hacked because I opened an attachment similar to this one. I posted a video a few days ago explaining how it happened and how I was able to get my Gmail account back the same day. Crazy stuff! I’m way more cautious now.
The ".scr" file, like in 1:53, was used to hack the crypto assets of streamers here in the Philippines.
I always knew something was off with that Pipe Dream screensaver....
That's a screensaver file...
@@nevergonnagiveyouup4189 I didnt know that, I thought they were limited to animations
Oh gosh does that username have RTL in it or something?
Edit: it only appears weird on mobile
@@AlfiesFuntime why did you write backwards
i got attacked by this malware. the guy used my discord and took 200$ from my 13 year olds account and then i got mad(he didnt know i was a linux guy :) )so i just reverse shelled him and deleted almost all files on his pc.lol revenge
Thanks for the video, it really helps with malware analysis for beginners
If only there was some sort of checkbox you had to click on files before they are allowed to execute and otherwise warn you that they don't have permissions to be executed so you can't mistake an executable with a word document icon for a word document 😔
They hacked a gaming channel I know the guy he had over 1million subs! And it went to this crypto videos.. He was able to get it back like 2 weeks later tho. But that sucks!
Looking at the name of the virus at 6:37 this is a Chinese god’s name, “yanluowang” 閻羅王, a god that manages afterlife world for mortals ( sort of similar to Hades)
Have you just started to make these types of videos?
I don't know why but it feels like you have more credibility because of them. I've watched some of your Antivirus A vs Antivirus B type videos in the past and always wondered if it was unbiased or paid by a company content.
i wonder how the executable would perform on virustotal after you removed the unnecessary parts.
i just tried to download the file myself, but theyve changed the 7zip password. No chance to extrakt the file. Maybe ill try it with bruteforce attack.
Hi can you tell me how you downloaded the file ?????
I want to put it through virus total
@@paullombardi9506 just copy the link seen in the Video
@@kastrodyll1724 how was your test? Is it detected?
What antivirus do you personally use? Of course I've seen your tier list but I'm super curious to know what you use on your machine
Linux probably
@@elevul huh???????????
I GOT IT, I GOT EXACTLY THIS! Do I need to worry if I didn’t open it? I just unzipped and when I saw the file was 750MB i just WIPED it out of existence
You're fine as long as you didn't run the file.
Im honestly just a hacker for fun (i love finding the security breaches in computers and whatnot, its like an advanced puzzle that always changes) and these videos not only help my skills but they also help me patch up and make my systems better
@@Kanyesouth436 I doubt he hacks other peoples systems, this is actually pretty common. Pretty sure they're called white-hat hackers. But if he actually does hack other people, he can gtfo of civilization.
@americanketchup4340 don't bother, these guys are idiots. It's not worth your time trying to explain it
@americanketchup4340 ye
I love how calm you are while dealing with malware
For real if I get a virus I would probably breakdown or something idk I have bad anxiety lol
He was probably in a VM
@@kamilo1175 yeah most likely pretty much every person that deals with stuff uses vm
@@kamilo1175 Indeed, or he's just experienced, or even both.
@@orbitalonyx I trust people and download files all the time, and that’s why I get nervous even when I know someone is on a VM. I do creative projects with people, so you just have to hope no one gets hacked or sends anything malicious 🙃
well, any sane person would automaticly know that a document in the form of an exe is malishous. But thanks anyway!
Yes please more of these, even if I'm quite techy it's super good to have these types of videos to send to others! :)
Agree! More!
Me seeing Mrwhosetheboss channel in the thumbnail: "Wait what He's Channel got hacked!!!!!???" After all UK's Largest Tech youtuber
I mean.. he got hacked a few years ago-
but I'm shocked that he is on the thumbnail on this vid...
that's why you need second opinion scans like Hitman Pro Alert
So this is what security research is. I like this alot
You'd have to be especially stupid to download a 750 MB exec file that claims to be a simple contact file !! One could say - so stupid that you shouldn't actually own a computer.
would you recommend the google usb stick for access and security?
I learned more about malware analysis in this video than the entire module on it in my masters in cybersecurity
Is it really that easy to study cyber security?
if the security systems we use are limited in size of file it scans, then why don't they break down the file into smaller chunks, to be scanned. Surely they could design something that deletes all the repetitive zeros, and then put files back together, before scanning. (similar to how you manually did it)
I'm not a programmer, but that seems like the way to eliminate scammers like this.
A single repeatitive 0s is easy but once it gets to repeatitve sequence that just impossible to split and detect easily
@@tronghungnguyen8716 to my thinking, not really;
break it into equal parts, doesn't matter where the zeros are, then look for all zeros in each part. When done, put it back together and run the scan. Just like he did manually.
@@Emilia-fl5ii I'm not a programmer, but I still say you can break any file apart anywhere you like, scan the smaller files, and then put them back together again. If he could do it manually, it can be done in whatever software code they used, and look for patterns. Whether or not they used 0's or "junk" might make it harder to figure out the malicious intent, it doesn't stop the ability to do the scan; he said file size is preventing the scan, so that's where I said it should start, rather than leaving users totally exposed. As with most things new, people lose sight that you can't take step 2 until you take step 1.
@@Emilia-fl5ii Well, look back then; the original poster broke the file apart, eliminated the 0's, put it back together, ran the virus scan on smaller file, all that manually.
I read what you say, and see nothing you say that overrides what he did manually, meaning it should be possible to replicate his manual process. I wish he would come back in to the thread and get in this discussion with you. As I said, I'm not a programmer. However, on my job, I was usually the designated spec writer, working with programmers, who automated our manual reports. We never found anything that couldn't be done with software. Took time occasionally to get the right software, but nothing stopped us.
I think this situation is a hole not being fixed. It's fixable, somehow.
Address further questions to the original poster please, not me. You two can talk it out, I'll read your discussion with him.
@@Emilia-fl5ii Again, I said talk the technicals with the original poster, not directly to me.
But from my point of view, if someone can do it manually, then it's do-able with programming. At least it would make it more difficult for the hacker to do mischief. Enough said.
It's really annoys me that these helpful channels are not boosted by TH-cam rather than all of the dumb political stuff..
And the ZIP is encryped so AV software would have trobule analyzing it...
any unknown email in my inbox.... "STRAIGHT TO BIN"
Can you tech us the best practice on how to make a virtual window to test virus and malware.
Can you get the malware from watching TH-cam video’s?
man, all that blank space is really taking up a lot of space. it's really important though...
Why does Windows allow users to hide all file extensions while these are very important. That's a real stupid decision from Microsoft imo....
Yep, every hacker is made, THEY LITERALLY HACK ALL MY FRIENDS ACCOUNT THO IN THE SAME DAY
I thought a famous TH-camr would comment here and say "Hey that's what I did!"
you know this is frustrating stuff, i really thought they would use some insane exploits or sth. But if they only send an .exe file and youtuber click it.... idk This is the most ridiculous thing ever
imagine clicking uknown .exe files in 2022 :D I mean their social engineering/phishing email is fucking bad
Why did you use different online services before and after removing the middle space????
Based on the train reflection in your mirror you live in Boston, or the UK also has some silver trains with 2 windows per car.
Something like this kinda happened to me, I got my account stolen, and they just liked all their videos using my account
this is your best video, actually showing us the forensics of a malware. WOW
Gotta have to admit, that file size trick was quite clever.
What about free/open source HIDS vs this types of malwares? It works better than regular av?
How about the discord stealers , it's really getting annoying
its on any platform
Would deleting the file, and doing a system restore to revert back be sufficient in ridding the threat? Im trying to avoid a clean wipe.
Edit: actually, i extracted the contents, saw an .exe but ever ran it though. There's no reason a company offer should supply an exe.
Dude this literally happened to me how would I make my pc safe PLSSSSSSSSSSSSSS help
guys!!!
i found muta's brother.
thanks for the info
Malwarebytes can scan big files if you right click on them and tell it to
This is Cyber Security class in a TH-cam video
appreciate how much effort he puts into the content for us❤
How about Posting the file Link in Virus total
I suffered from the exact same malware tho instead of exe, the attacker had used chrome extension that had great reputation, and reviews so were hard to determine if it was malicious or not. Oddly enough after 2 months it had remotely installed redline stealer along with some other nasties and later on kicked off the chrome store.
Wow... From a Chrome Extension that seemed legitimate and good reviews..
I'm often suspicious of Extensions for browsers, Google Office and MS Office products..
@@joemama3372 Should also be suspicious about PlayStore apps as Google doesn't do good job when it comes to auditing.
Which is why I trust only extensions that have been available for 2+ years, and have plenty of downloads and plenty of reviews. Very easy to get a few hundred fake reviews.
Just saw 2 TH-cam accounts get hacked by crypto hackers who's uploading or livestreaming crypto stuff.
finally some coverage on this shit show
So many problems in this video
are you using a filter or is your skin just so smooth?
Thank you for sharing! Quick question... How would they bypass the 2-factor authentication? Even if they force you to log in again, steal passwords and the 2-factor value, when they go and use those credentials they will need to type another 2-factor value, right? That they don't have... 🤔
u log in and it makes a cookie and when u exploit a cookie by injecting it (if u really wanna know and want an example id look up how to log into discord using discord token its the exact same) because when u inject a cookie the device/account thinks: "oh hey i know this one he doesnt need to do 2FA cuz i trust him :D"
but that trust wouldn't extend to sensitive operations like password changes? So how would they steal the account/lock you out?
@@flyhtz Aren't cookies linked to specific devices? If not, yes, that's quite a big security hole!
@@nickwoodward819 no it would not but as soon as they have the cookie they can change the password and email
@@javiTests they are not they are linked to browsers so u can inject them
beauty face on level 10? LOL
Being a crypto TH-camr I am very familiar with all these spam messages. I must admit I have been a Victim of a trojan attack once and ever since I have never got scammed because I have learned from being hacked. Can you tell me how can a .src file stole my crypto wallet keys?
Love your videos
DOES ANYBODY KNOW HOW TO REMOVE IT, I’M IN BIG TROUBLE!! I heard it takes security card info, IP Adresses and steals lots of money. Please help! 😥
I'll do my best to steal you
Run a scan with malwarebytes
A hacker starts a TH-cam channel.
Gets 200K subscribers in 5 hours.
I have never seen yo face 💖💖🔥
Thanks for the info digital science guy on the PC Security Channel
(sorry, don't know your name or nickname)
Have fun and be safe.
I got hacked in december but luckily i got it back they were able to look at my ip address being signed in from a diffrent state . crazy thing about it is i didnt even click any emails or download and malware
Browser privacy please
Classic Client-Side Attack,but the payload is tenderness not so nasty:)))
Great explanation, thanks. Given the size limitation of virus checkers, how can you check those big applications that you download from genuine companies, just in case they’ve been compromised without knowing?
It would’ve been great if you could have executed the file anyway and showed how the virus checker would’ve handled it.
Pup finders tend to do a better job at this. Most antivirus’s now are just bloatware sadly.
Hackers: Oooh what is this channel lets watch it 5 mins later after watching the vid OMG LETS HACK AND TRY IT OUT
Computer: BLOCKED... Not allowed
Hacker: YOUUU COMPUTER SUCK I HATE YOU I SHOULD THROW YOU OUT!1
cOMPUTER: YEETT
Hacker: THATS WHAT YOU TAKE
Guess I got hacked
OHH So this is how it happened well F*, thx god I saved my acc in time
I recently got hit in a very strange way. They changed my channel logo, they changed my channel name, they private it a bunch of random videos, not everything just a bunch of randomly picked ones, and then they started live streaming a crypto scam
Strange thing though is my two-factor authentication was never triggered, and I looked at logged in devices on my Google account, and the only ones that were logged in were my personal computer, my work computer, and my cell phone. So I couldn't kick them off that way either. I have no idea how they got in. Hadn't recently downloaded anything that I would think would be malicious.
@Appu26j wouldn't some sort of cookie stealer need to be used though? Work computer was a Mac, windows computer that was powered off since I wasn't home and an Android phone not rooted or anything sideloaded/modded apps
@Appu26j at the time it occurred, the live stream they were doing I searched the title of and noticed there were about a dozen other TH-cam channels streaming the same thing. It was some Bitcoin scam.
I could understand exploiting live streaming with something like somehow guessing the stream key, but it's so long and convoluted I highly doubt that. Also if you guess the stream key that doesn't give you access to change things like channel name private videos and change channel layout
Mac users : oh how cute
Learning from your channel I use Intezer to analyze a small file with the extension .doc inside a password zip folder seems like it's a very popular technique of putting files inside a password lock zip file. Intezer reported the file as malicious. 🤣 Question can a windows type malware infected an android device if it's unpack using an android device? Yes it's the doc file but I did not execute or open it just extract and submit directly to intezer.
I get those promotional video emails constantly. I mark them spam.
Did they really just try to hack THE pc security channel? Lol
I know how redline works, i even have a client on my vm for testing. You know i just use it to analyse the compiled exe files, it is not hard to detect and all avs should be able to do the job, unless the creator modified it with a crypter, but it is unlikely. The file you tried seemed to be pumped to 715MB and the malicious code is like 350-700kb of that.
Just be mindful that vm isn't safe.
Didn't watch the video?
Thumbnail:how youtubers get hacked
Me:Oh cool A new tutorial XD
I will never do it.
You explained it well.
So I have a question. Avast or Malware Bytes? I prefer Malware Bytes.
Hackers tries to hack The PC Security Channel
Random hacker: "Why do i hear boss music?"
Its sad but that scammers make a lot of money selling the hacked chanells...
they tried to hack ... you ???
*lol , tough luck on them* !!
great analysis , thanks !!
I purchased the Express VPN along with the tor browser to go on the dark web, Some say I should downloading tails for extra security, would that be necessary. 🤔