08.03.2025

Ongoing series: #1 #2 #3

youtube games cheat

Another dive into the fascinating world of malware distributed through YouTube videos (following the youtube pc help campaign) began with a tweet from WatchingRac about several videos supposedly offering cheats and hacks for games like Farlight 84, POLYGON, Apex Legends, and Roblox. However, instead of the promised tools, the (likely young) victims end up downloading malware.

The Video(s) and Google Sites

After reviewing the videos from the tweet, I started searching for more of them and, most importantly, the hijacked YouTube channels. I quickly found over 300 similar videos and more than 50 compromised channels. All of them follow a similar or even identical pattern:

  • The video shows an extraction process and some gameplay footage featuring a (well-known) cheat software.
  • The video description includes various tags related to the game and a link along with a password.
  • The link usually points to a sites.google.com page, though sometimes it leads directly to a file hosted on a sharing platform.
| Google Sites Link                              | Download Link on Website                                                 | Password |
|------------------------------------------------|--------------------------------------------------------------------------|----------|
| https://sites.google.com/view/nexol            | https://app.mediafire.com/chqpeq6hc3cvk                                  | 2525     |
| https://sites.google.com/view/nextz            | https://www.mediafire.com/file/k9h9908h4wy7eir/Nexol.rar/file            | 1122     |
| https://sites.google.com/view/flechh           | https://drive.google.com/drive/folders/1yO4uwuJzfLNZmgGEAFVwPDO3ADLO7_50 | 1414     |
| https://sites.google.com/view/curvedsoft       | https://www.mediafire.com/folder/0uq1f3cdio8si/Curved                    | 1010     |
| https://sites.google.com/view/projectxx1       | https://www.filemail.com/d/precyhluhjplmyb                               | 1234     |
| https://sites.google.com/view/drcheats6        | https://www.mediafire.com/folder/ortsonf8z1lzc                           | 3333     |
| https://sites.google.com/view/ext25            | https://drive.google.com/file/d/1aneYs85QIlAxbQoe_HIYYxrstBymiOCR/view   | ext25    |
| https://sites.google.com/view/easylauncher1212 | https://www.mediafire.com/folder/736dx5eede9a1                           | 1212     |
| https://sites.google.com/view/exlauncher69     | https://www.mediafire.com/folder/736dx5eede9a1                           | 3333     |
| https://sites.google.com/view/o91              | https://app.mediafire.com/n9r5tg19mzvxb                                  | 2023     |
| https://sites.google.com/view/x91              | https://app.mediafire.com/yg2frc0fae2t6                                  | 2023     |

The Nexol.rar Archive

All downloads contain different archives/executables. For a more detailed analysis, I initially focused on the Nexol.rar archive (SHA256: 9D7CB0796E24D6B4614483D7C28091F5F1D53A28AFB05AF04E1B26DF7C912042) and its contents. All archives are encrypted with a simple password. The password is either listed on the corresponding sites.google.com website or directly in the YouTube description. This prevents hosting services from automatically detecting the file as malware since only an encrypted archive is visible to them.

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d----          16/06/2024    10:19                x64
-a---          01/05/2024    16:39         564480 aah32.dll
-a---          01/05/2024    16:40         157085 inject.dll
-a---          07/03/2025    17:50         374272 Nexol.exe
-a---          11/10/2024    00:33         734674 Quadl.prx
-a---          01/05/2024    16:40         560322 Quadv.dll
-a---          23/12/2024    19:32            242 read me (2525).txt
-a---          01/05/2024    16:40         188160 version.dll
-a---          11/10/2024    00:33         367527 Versll.cfg
-a---          11/10/2024    00:35        1469348 Xeog.ini
-a---          01/05/2024    16:40          88370 Xheu.dll

After successfully extracting the Nexol.rar archive, various (unnecessary) files appear; this serves only to inflate the archive and stuff it with inconspicuous, harmless files. The interesting part for further analysis is the Nexol.exe file, which is the only one recently changed and turns out to be an executable, specifically a compiled C# application.

PE File Analysis Nexol.exe

Using dnSpy64, I was able to inspect the application without executing it. The original filename, Portals.exe, is revealed. The application consists of two classes: Program, which contains the main function, and a Publisher class. After five initial short pauses (likely to evade analysis environments), the program reads all bytes of the executed file and analyzes them. For example, it checks whether the first two bytes match 0x5A4D to confirm the presence of a DOS header and also verifies the 0x4550 signature in the PE header. If these checks fail, execution is aborted.

    byte[] array = File.ReadAllBytes(Application.ExecutablePath);
    if (BitConverter.ToUInt16(array, 0) != 23117) {
        return;
    }
    int num = BitConverter.ToInt32(array, 60);
    if (BitConverter.ToUInt32(array, num) != 17744U) {
        return;
    }

The program then iterates through the section headers, searching for one that contains CS. A quick check with PE-bear confirms the presence of the CSS section. If the program finds this section, it reads its content into the Program.sectionContent variable and sets a flag variable. Execution continues only if this flag is set.

	ushort num2 = BitConverter.ToUInt16(array, num + 6);
    for (int j = 0; j < (int)num2; j++) {
            int num5 = num4 + j * 40;
            Console.WriteLine(num5);
            string text = Encoding.ASCII.GetString(array, num5, 8).TrimEnd(new char[1]);
            if (text[1] == 'C' && text[2] == 'S') {
                uint num6 = BitConverter.ToUInt32(array, num5 + 20);
                uint num7 = BitConverter.ToUInt32(array, num5 + 16);
                Program.sectionContent = new byte[num7];
                Array.Copy(array, (long)((ulong)num6), Program.sectionContent, 0L, (long)((ulong)num7));
                flag = true;
                break;
            }
        }
    if (!flag) {
        return;
    }

This is a classic method used to hide the actual functionality of the executable, as it unpacks itself and loads its functionality only at runtime. Afterwards, a new instance of the Publisher class is created. The constructor of the class calls an ApplySettings function from the Program class, passing various variables. This function itself is highly obfuscated and does not directly indicate its functionality. However, data and keys are passed, and the previously populated sectionContent variable is also passed, which suggests decryption of the data read from the section header.

    public Publisher() {
        uint num = 0U;
        try {
            for (int i = 0; i < 1; i++)
            {
                Program.ApplySettings(Program.inputData, Program.inputData.Length, Program.dataKey, Program.dataKey.Length);
                Program.ApplySettings(Program.sectionContent, Program.sectionContent.Length, Publisher._key, Publisher._key.Length);
            }
        }
        catch (Exception){ }
        Marshal.GetDelegateForFunctionPointer<Program.ioAshhuicgyuxzAYt>(Program.GetProcAddress(Program.LoadLibraryA("kernel32.dll"), "VirtualProtect"))(ref Program.inputData[0], Program.inputData.Length, 64U, ref num);
        Program.CallWindowProcA(ref Program.inputData[392], Program.sectionContent, 0, 0, 0);
        }

Subsequently, the VirtualProtect function from kernel32.dll is loaded, enabling the execution of the subsequently loaded area by using 64U or 0x40 (i.e., PAGE_EXECUTE_READWRITE). After that, via CallWindowProc, the decrypted Program.inputData and the also set Program.sectionContent are passed, and this content is executed. Windows then executes the malicious shellcode as if it were a window procedure. This seems to be a known workaround to execute native code and is frequently used by malware delivered with DarkGate (see, for example, this analysis by @marqufabi from Telekom Security Shining some light on the DarkGate loader). The Nexol.exe is therefore a loader that loads and executes the actual functionality of the malware. For further analysis, this runtime-loaded and unpacked executable can be extracted and the dump examined for further investigation.

Dump Analysis

After the executed section is dumped from memory, a new executable is available for analysis. However, this is a highly obfuscated binary that contains some strings and IOCs that point towards malware. Additionally, YARA and publicly available rule sets can be used to classify the dump. To illustrate, here is the use of rules from the Elastic Security Protections Artifacts repository.

yara64.exe .\Windows_Trojan_Lumma.yar .\dump.bin --print-meta --print-strings
Windows_Trojan_Lumma_4ad749b0 [author="Elastic Security",id="4ad749b0-e853-468f-b051-210ea24cb632",fingerprint="55fa938331fc42c6cdcb2a048e524c752aed8cfbe9b8128e422e1e92ac04f8c9",creation_date="2024-11-08",last_modified="2024-11-26",threat_name="Windows.Trojan.Lumma",reference_sample="1f953271bc983b3a561b85083bc14a13d18b81a34855d0a6d9fe902934347f92",severity =100,arch_context="x86",scan_context="file, memory",license="Elastic License v2",os="windows"] .\dump.bin
0xb7e0:$a: 55 89 E5 83 E4 F8 83 EC 10 DD 45 08 DD 54 24 08 8B 4C 24 0C 89 CA C1 EA 14 81 E2 FF 07 00 00 81 FA FF 07 00 00 74 25 66 B8 FF FF 85 D2 75 31 DD 1C 24 B8 FF FF FF 7F 23 44 24 04 31 C9 0B 04 24

This rule set identifies the sample as likely being the Lumma Stealer, which is further corroborated by the use of the astralconnec[.]icu domain. This domain, presumably one of the C2 addresses, can be extracted from the dump and has also been associated with Lumma in numerous other reports.